WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

P.S. Martin created https://winscp.net/tracker/1490

No problems with WinSCP 5.9.1.
After upgrading to WinSCP 5.9.3 the problem appeared.
Rolling back to WinSCP 5.9.1 solves the problem.

I have a pkcs12 file which has private key and certificate with chain certificates in it.
It was created using the command:
openssl pkcs12 -export -inkey <private_key_file>.key -in <you_cert_file_with_chain>.pem -out certificate_client_nopass.pkcs12.pfx -name <some_friendly_name_here>
While executing this command NO password was entered.
So I have certificate_client_nopass.pkcs12.pfx file which is not encrypted with the password.

I start like:
winscp.com /ini=nul /script="FTPS_Script.txt"

FTPS_Script.txt has something like:
open ftpes://user:pass@ip:port/ -passive=on -explicit -certificate="*" -clientcert="certificate_client_nopass.pkcs12.pfx" -rawsettings CacheDirectories=0 CacheDirectoryChanges=0 FtpForcePasvIp2=0 FtpPingInterval=10 FtpListAll=1 SslSessionReuse=0 MinTlsVersion=12 -timeout=999

It is working perfect in WinSCP 5.9.1.

After upgrading to WinSCP 5.9.3 it doesn't work any more.

WinSCP begins to write message in LOG file:
. 2016-12-08 14:54:43.011 Certificate is encrypted, need passphrase

I will attach two logs file in next message.

P.S.

<you_cert_file_with_chain>.pem file looks like:
subject=/L=Moscow/ST=Moscow/C=RU/O=Maxim/OU=Test/CN=test.com
issuer=/C=US/O=COMPANE/OU=Service Association/CN=External CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=External CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


Last edited by Makc666 on 2016-12-22 09:13; edited 3 times in total

Reply with quote

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

Here are two logs.
One from WinSCP 5.9.1 and other from WinSCP 5.9.3.
The only difference is WinSCP version.
No other changes.

Note at lines:

WinSCP_v5-9-1_Good.txt
. 2016-12-08 15:05:30.507 User name: USERNAME (Password: Yes, Key file: No)
...
no such line
...
. 2016-12-08 15:05:31.904 Server asks for authentication with a client certificate.
. 2016-12-08 15:05:32.402 Verifying certificate for "Cert_CA_NAME" with fingerprint 11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22 and 19 failures
* 2016-12-08 15:05:32.403 WARNING! Giving up security and accepting any certificate as configured!
. 2016-12-08 15:05:32.403 Using TLSv1.2, cipher TLSv1/SSLv3: AES128-SHA, 2048 bit RSA, AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
. 2016-12-08 15:05:32.403 TLS connection established. Waiting for welcome message...

WinSCP_v5-9-3_Bad.txt
. 2016-12-08 14:54:43.010 User name: USERNAME (Password: Yes, Key file: No, Passphrase: No)
...
. 2016-12-08 14:54:53.013 Certificate is encrypted, need passphrase
...
. 2016-12-08 14:55:04.381 Server asks for authentication with a client certificate.
. 2016-12-08 14:55:04.744 Disconnected from server
Description: WinSCP_v5-9-3_Bad.txt
Description: WinSCP_v5-9-1_Good.txt

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,760
Location:
Prague, Czechia

Can you provide me a sample certificate for testing?

Reply with quote

Advertisement

Makc666
Joined:
Posts:
52
Location:
MSK-RU

martin wrote:

Can you provide me a sample certificate for testing?

Martin, here is the archive with the certificates and scripts to test.
One certificate with NO password.
Second certificate with password. Password it "test" - also it is listed in .txt file inside archive.

Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3

One more comment.

When you try to use that .PFX file with NO password in WinSCP.exe v5.9.3 you will get a windows with "Client certificate passphrase" request (attached).
If you do the same in WinSCP.exe v5.9.1 there will be no problems.

WinSCP_v5-9-3_window_passphrase_01.png

Description: .
-------------------------------
Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3
-------------------------------

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,760
Location:
Prague, Czechia

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Reply with quote

Makc666
Joined:
Posts:
52
Location:
MSK-RU

martin wrote:

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Martin,

the one you sent me works well (v5.10 Dev Build 7191 2016-12-16).
I tested withOUT -passphrase and -passphrase=pass.

Do you need some other tests from me to do with this case?

Thanks!

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum