Topic "[No-Bug] FTPS Intermediate Certificate not trusted when using Windows Cert Store"

Author Message
Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
Hello Martin,

I obviously found a heavy bug. As short as possible:

An intermediate certificate is not trusted (and so the whole server certificate), when it's only referenced through the root CA and not stored within the "trusted intermediate CAs".
When you take the root CA certificate, put it into a cacert.pem aside a winscp.exe (which normally isn't there), the complete chain is trusted.
I assume, when a cacert.pem exists, WinSCP lets OpenSSL check the trust and doesn't use Windows Cert Store.
This is proof enough for me that it only depends on WinSCPs certificate handling when using windows cert store and it's not a bad ftp server configuration.

But anyway, all information and documentation you should need I'll give you with a lot of files:

Last edited by Prisma on 2017-05-19 08:39; edited 1 time in total
windows_certificate_store.log (5.54 KB) [Download]

Description: (none)

Advertisements
Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
With cacert.pem aside
openssl_certificate_store.log (8.19 KB) [Download]

Description: (none)

Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
proFTP configuration
tls.conf.txt (463 Bytes) [Download]

Description: (none)

Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
Proof that Windows really trusts the cert
cert.JPG (69.69 KB) [Download]

Description: (none)

Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
Root CA Details
cacert.jpg (313.28 KB) [Download]

Description: (none)

Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
Which info do you else need?

If you use your own let's encrypt certificate, it should be easy to reproduce.
But via PM I could also give you more un-anonymized info if needed.

This is rather urgent, because our old certificate will become invalid in short and we want to use let's encrypt in future.
martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26730
Location: Prague, Czechia
Error 80092013 is CRYPT_E_REVOCATION_OFFLINE.

So it's not that the certificate is not trusted as such. It's that, it was not possible to check, if it is on revocation list or not.

That may help you with investigation.
Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
Hello Martin,

using certutil.exe I got also an error. So, relying on Windows Cert Store it's no wonder that winscp doesn't accept the cert. I documented it here:
https://community.letsencrypt.org/t/ms-certutil-verify-fails-for-cert-pem-and-fullchain-pem-why/34276

I think this is nothing under our control.

The only thing I wonder is, that certutil throws another error: 0x80092004 CRYPT_E_NOT_FOUND ...
Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
I ran this command: certutil -verify -urlfetch cert.pem

It produced this output: Aussteller:
CN=Let's Encrypt Authority X3
O=Let's Encrypt
C=US
Namenshash (sha1): 7ee66ae7729ab3fcf8a220646c16a12d6071085d
Namenshash (md5): c0350a4a6f6b94d938b5003a57bb4867
Antragsteller:
CN=www.mydomain.de
Namenshash (sha1): 0a45f24e027192b7863afb1e0896e88a94c74305
Namenshash (md5): 6bdef80a3a02c62b498e6a554094b1ed
Zertifikatseriennummer: 034dde82f2a0e66c92ee29ebede3fa80e6c7

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 13 Hours, 20 Minutes, 36 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotBefore: 11.05.2017 02:38
NotAfter: 09.08.2017 02:38
Subject: CN=www.mydomain.de
Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
Cert: c4ea64889db020e794a247293944a18b5ec3177b
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Überprüft "Zertifikat (0)" Zeit: 0
[0.0] http://cert.int-x3.letsencrypt.org/

---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Basissperrliste veraltet ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Überprüft "OCSP" Zeit: 0
[0.0] http://ocsp.int-x3.letsencrypt.org/

--------------------------------
CRL (null):
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
ThisUpdate: 17.05.2017 03:00
NextUpdate: 24.05.2017 03:00
CRL: 8892a5c37e9e1b18b6d7cf54acdc6d86e0809e95
Issuance[0] = 2.23.140.1.2.1
Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
Application[0] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[1] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
NotBefore: 17.03.2016 18:40
NotAfter: 17.03.2021 18:40
Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial: 0a0141420000015385736a0b85eca708
Cert: e6a3b45b062d509b3382282d196efe97d5956ccb
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Überprüft "Zertifikat (0)" Zeit: 0
[0.0] http://apps.identrust.com/roots/dstrootcax3.p7c

---------------- Zertifikat abrufen ----------------
Überprüft "Basissperrliste (aa)" Zeit: 0
[0.0] http://crl.identrust.com/DSTROOTCAX3CRL.crl

---------------- Basissperrliste veraltet ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Überprüft "OCSP" Zeit: 0
[0.0] http://isrg.trustid.ocsp.identrust.com

--------------------------------
CRL (null):
Issuer: E=pki-ops@IdenTrust.com, CN=DST CA X3 OCSP Signer, OU=DST, O=Digital Signature Trust, C=US
ThisUpdate: 18.05.2017 11:26
NextUpdate: 19.05.2017 11:26
CRL: eb82fdefaeabf9244e9c8fc1c052797fa08edd94
Issuance[0] = 2.23.140.1.2.1
Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
NotBefore: 30.09.2000 23:12
NotAfter: 30.09.2021 16:01
Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial: 44afb080d6a327ba893039862ef8406b
Cert: dac9024f54d8f6df94935fb1732638ca6ad77c13
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat abrufen ----------------
Keine URLs "Keine" Zeit: 0
---------------- Zertifikat-OCSP ----------------
Keine URLs "Keine" Zeit: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail
Application[1] = 1.3.6.1.5.5.7.3.1 Serverauthentifizierung
Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung
Application[3] = 1.3.6.1.5.5.7.3.8 Zeitstempel
Application[4] = 1.3.6.1.4.1.311.10.3.4 Verschlüsselndes Dateisystem
Application[5] = 1.3.6.1.4.1.311.10.3.12 Dokumentsignatur

Exclude leaf cert:
Chain: 8b7ab36ece90ebb699b18f9d2bfafc4c6bc4d40f
Full chain:
Chain: 7e00edb48331966cc2699a2c8e01ce0e21803e4d
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotBefore: 11.05.2017 02:38
NotAfter: 09.08.2017 02:38
Subject: CN=www.mydomain.de
Serial: 034dde82f2a0e66c92ee29ebede3fa80e6c7
SubjectAltName: DNS-Name=mydomain.de, DNS-Name=mydomain.eu, DNS-Name=www.mydomain.de, DNS-Name=www.mydomain.eu
Cert: c4ea64889db020e794a247293944a18b5ec3177b
Das Objekt oder die Eigenschaft wurde nicht gefunden. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
------------------------------------
CertUtil: -verify-Befehl ist fehlgeschlagen: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Das Objekt oder die Eigenschaft wurde nicht gefunden.
Prisma
[View user's profile]

Joined: 2017-05-18
Posts: 9
The certutil.exe error has nothing to do with the winscp problem. letsencrypt has had yesterday and today several service problems with the ocsp, see picture.

Sorry Martin...
martin◆
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 26730
Location: Prague, Czechia
Thanks for your feedback!
Advertisements

You can post new topics in this forum

Search

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License