WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

P.S. Martin created https://winscp.net/tracker/1490

No problems with WinSCP 5.9.1.
After upgrading to WinSCP 5.9.3 the problem appeared.
Rolling back to WinSCP 5.9.1 solves the problem.

I have a pkcs12 file which has private key and certificate with chain certificates in it.
It was created using the command:
openssl pkcs12 -export -inkey <private_key_file>.key -in <you_cert_file_with_chain>.pem -out certificate_client_nopass.pkcs12.pfx -name <some_friendly_name_here>
While executing this command NO password was entered.
So I have certificate_client_nopass.pkcs12.pfx file which is not encrypted with the password.

I start like:
winscp.com /ini=nul /script="FTPS_Script.txt"

FTPS_Script.txt has something like:
open ftpes://user:pass@ip:port/ -passive=on -explicit -certificate="*" -clientcert="certificate_client_nopass.pkcs12.pfx" -rawsettings CacheDirectories=0 CacheDirectoryChanges=0 FtpForcePasvIp2=0 FtpPingInterval=10 FtpListAll=1 SslSessionReuse=0 MinTlsVersion=12 -timeout=999

It is working perfect in WinSCP 5.9.1.

After upgrading to WinSCP 5.9.3 it doesn't work any more.

WinSCP begins to write message in LOG file:
. 2016-12-08 14:54:43.011 Certificate is encrypted, need passphrase

I will attach two logs file in next message.

P.S.

<you_cert_file_with_chain>.pem file looks like:
subject=/L=Moscow/ST=Moscow/C=RU/O=Maxim/OU=Test/CN=test.com
issuer=/C=US/O=COMPANE/OU=Service Association/CN=External CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=External CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


Last edited by Makc666 on 2016-12-22 09:13; edited 3 times in total

Reply with quote

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

Here are two logs.
One from WinSCP 5.9.1 and other from WinSCP 5.9.3.
The only difference is WinSCP version.
No other changes.

Note at lines:

WinSCP_v5-9-1_Good.txt
. 2016-12-08 15:05:30.507 User name: USERNAME (Password: Yes, Key file: No)
...
no such line
...
. 2016-12-08 15:05:31.904 Server asks for authentication with a client certificate.
. 2016-12-08 15:05:32.402 Verifying certificate for "Cert_CA_NAME" with fingerprint 11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22 and 19 failures
* 2016-12-08 15:05:32.403 WARNING! Giving up security and accepting any certificate as configured!
. 2016-12-08 15:05:32.403 Using TLSv1.2, cipher TLSv1/SSLv3: AES128-SHA, 2048 bit RSA, AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
. 2016-12-08 15:05:32.403 TLS connection established. Waiting for welcome message...

WinSCP_v5-9-3_Bad.txt
. 2016-12-08 14:54:43.010 User name: USERNAME (Password: Yes, Key file: No, Passphrase: No)
...
. 2016-12-08 14:54:53.013 Certificate is encrypted, need passphrase
...
. 2016-12-08 14:55:04.381 Server asks for authentication with a client certificate.
. 2016-12-08 14:55:04.744 Disconnected from server
Description: WinSCP_v5-9-3_Bad.txt
Description: WinSCP_v5-9-1_Good.txt

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
32,073
Location:
Prague, Czechia

Can you provide me a sample certificate for testing?

Reply with quote

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

martin wrote:

Can you provide me a sample certificate for testing?

Martin, here is the archive with the certificates and scripts to test.
One certificate with NO password.
Second certificate with password. Password it "test" - also it is listed in .txt file inside archive.

Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3

One more comment.

When you try to use that .PFX file with NO password in WinSCP.exe v5.9.3 you will get a windows with "Client certificate passphrase" request (attached).
If you do the same in WinSCP.exe v5.9.1 there will be no problems.

WinSCP_v5-9-3_window_passphrase_01.png

Description: .
-------------------------------
Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3
-------------------------------

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
32,073
Location:
Prague, Czechia

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Reply with quote

Makc666
Joined:
Posts:
52
Location:
MSK-RU

martin wrote:

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Martin,

the one you sent me works well (v5.10 Dev Build 7191 2016-12-16).
I tested withOUT -passphrase and -passphrase=pass.

Do you need some other tests from me to do with this case?

Thanks!

Reply with quote

Advertisement

gireesh
Guest

same Error even with later version

Hi,
I am still experiencing same issue with 5.16.4 rc. please let me know if you need details such as logs etc.
Thanks
Gireesh

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
32,073
Location:
Prague, Czechia

Re: same Error even with later version

gireesh wrote:

I am still experiencing same issue with 5.16.4 rc. please let me know if you need details such as logs etc.
Do you mean that versions before 5.9.3 work for you and later versions do not?
A session log file is always useful.

Reply with quote

Advertisement

You can post new topics in this forum