Topic "WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase"

Author Message
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
P.S. Martin created https://winscp.net/tracker/show_bug.cgi?id=1490

No problems with WinSCP 5.9.1.
After upgrading to WinSCP 5.9.3 the problem appeared.
Rolling back to WinSCP 5.9.1 solves the problem.

I have a pkcs12 file which has private key and certificate with chain certificates in it.
It was created using the command:
Code:
openssl pkcs12 -export -inkey <private_key_file>.key -in <you_cert_file_with_chain>.pem -out certificate_client_nopass.pkcs12.pfx -name <some_friendly_name_here>

While executing this command NO password was entered.
So I have certificate_client_nopass.pkcs12.pfx file which is not encrypted with the password.

I start like:
Code:
winscp.com /ini=nul /script="FTPS_Script.txt"


FTPS_Script.txt has something like:
Code:
open ftpes://user:pass@ip:port/ -passive=on -explicit -certificate="*" -clientcert="certificate_client_nopass.pkcs12.pfx" -rawsettings CacheDirectories=0 CacheDirectoryChanges=0 FtpForcePasvIp2=0 FtpPingInterval=10 FtpListAll=1 SslSessionReuse=0 MinTlsVersion=12 -timeout=999


It is working perfect in WinSCP 5.9.1.

After upgrading to WinSCP 5.9.3 it doesn't work any more.

WinSCP begins to write message in LOG file:
Code:
. 2016-12-08 14:54:43.011 Certificate is encrypted, need passphrase


I will attach two logs file in next message.

P.S.

<you_cert_file_with_chain>.pem file looks like:
Code:
subject=/L=Moscow/ST=Moscow/C=RU/O=Maxim/OU=Test/CN=test.com
issuer=/C=US/O=COMPANE/OU=Service Association/CN=External CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=External CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


Last edited by Makc666 on 2016-12-22 09:13; edited 3 times in total
Advertisements
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
Here are two logs.
One from WinSCP 5.9.1 and other from WinSCP 5.9.3.
The only difference is WinSCP version.
No other changes.

Note at lines:

WinSCP_v5-9-1_Good.txt
Code:
. 2016-12-08 15:05:30.507 User name: USERNAME (Password: Yes, Key file: No)
...
no such line
...
. 2016-12-08 15:05:31.904 Server asks for authentication with a client certificate.
. 2016-12-08 15:05:32.402 Verifying certificate for "Cert_CA_NAME" with fingerprint 11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22 and 19 failures
* 2016-12-08 15:05:32.403 WARNING! Giving up security and accepting any certificate as configured!
. 2016-12-08 15:05:32.403 Using TLSv1.2, cipher TLSv1/SSLv3: AES128-SHA, 2048 bit RSA, AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
. 2016-12-08 15:05:32.403 TLS connection established. Waiting for welcome message...


WinSCP_v5-9-3_Bad.txt
Code:
. 2016-12-08 14:54:43.010 User name: USERNAME (Password: Yes, Key file: No, Passphrase: No)
...
. 2016-12-08 14:54:53.013 Certificate is encrypted, need passphrase
...
. 2016-12-08 14:55:04.381 Server asks for authentication with a client certificate.
. 2016-12-08 14:55:04.744 Disconnected from server
WinSCP_v5-9-3_Bad.txt (2.01 KB) [Download]

Description: WinSCP_v5-9-3_Bad.txt

WinSCP_v5-9-1_Good.txt (2.57 KB) [Download]

Description: WinSCP_v5-9-1_Good.txt

Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
And one more note.

According to:
https://winscp.net/eng/docs/history

5.9.3
Support for non-ASCII passphrases to client certificate files (.pfx/.p12 format). 1461
https://winscp.net/tracker/show_bug.cgi?id=1461#c1

This can be connected with this change.
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
Martin, you need any more information from me to look into this one?
martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26706
Location: Prague, Czechia
Can you provide me a sample certificate for testing?
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
martin wrote:
Can you provide me a sample certificate for testing?


Martin, here is the archive with the certificates and scripts to test.
One certificate with NO password.
Second certificate with password. Password it "test" - also it is listed in .txt file inside archive.

Put proper version of
Code:
WinSCP.com
WinSCP.exe

to folders:
Code:
WinSCP v5.9.1
WinSCP v5.9.3


One more comment.

When you try to use that .PFX file with NO password in WinSCP.exe v5.9.3 you will get a windows with "Client certificate passphrase" request (attached).
If you do the same in WinSCP.exe v5.9.1 there will be no problems.
WinSCP_v5-9-3_window_passphrase_01.png (6.48 KB)

Description: (none)

WinSCP_v5-9-3_window_passphrase_01.png

certificate_client_2016-12-13_01.zip (11.75 KB) [Download]

Description: .
-------------------------------
Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3
-------------------------------

martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26706
Location: Prague, Czechia
I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
martin wrote:
I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.


Martin,

the one you sent me works well (v5.10 Dev Build 7191 2016-12-16).
I tested withOUT -passphrase and -passphrase=pass.

Do you need some other tests from me to do with this case?

Thanks!
martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26706
Location: Prague, Czechia
Thanks for testing! I do not need any more tests.
Makc666
[View user's profile]

Joined: 2016-12-08
Posts: 52
Location: MSK-RU
martin wrote:
Thanks for testing! I do not need any more tests.


Thank you Martin!

Just for history:
https://winscp.net/tracker/show_bug.cgi?id=1490
Also added the link to the first post.
Advertisements

You can post new topics in this forum

Search

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License