Issues with root CA in Windows machine and/or user store not being trusted

Advertisement

freaky
Joined:
Posts:
2

Issues with root CA in Windows machine and/or user store not being trusted

Hi there,

we have a situation where a certificate chain isn't trusted. From what I got WinSCP should be using the Windows certificate store.

We have imported the root CA (it's not in there already), but this doesn't alleviate the issue.
WinSCP states that there's a self-signed certificate in the chain at depth 4. Root CA certificates are always self-signed, so I don't consider that to be the real issue. The real issue probably is it doesn't actually trust the root CA certificate.

With OpenSSL we can see it presents the root, 2 intermediates and the end certificate. OpenSSL verifies it just fine if we supply the root certificate as evidenced here:

/tmp $ openssl s_client -connect cs-bedrijven.procesinfrastructuur.nl:21 -starttls ftp -showcerts -CAfile /tmp/root.crt -verify 5
verify depth is 5
CONNECTED(00000003)
depth=3 C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Root CA - G1
verify return:1
depth=2 C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Services CA - G1
verify return:1
depth=1 C = NL, O = KPN B.V., CN = KPN PKIoverheid Private Services CA - G1
verify return:1
depth=0 C = NL, ST = Zuid-Holland, L = Den Haag, O = Logius, OU = Servicemanagement, serialNumber = 00000004003214345001, CN = cs-bedrijven.procesinfrastructuur.nl
verify return:1
---
Certificate chain
0 s:C = NL, ST = Zuid-Holland, L = Den Haag, O = Logius, OU = Servicemanagement, serialNumber = 00000004003214345001, CN = cs-bedrijven.procesinfrastructuur.nl
i:C = NL, O = KPN B.V., CN = KPN PKIoverheid Private Services CA - G1
-----BEGIN CERTIFICATE-----
MIIGvTCCBKWgAwIBAgIUAufCryXMFa9plYHUZN2UjpEZuagwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCEtQTiBCLlYuMTEwLwYDVQQDDChL
UE4gUEtJb3ZlcmhlaWQgUHJpdmF0ZSBTZXJ2aWNlcyBDQSAtIEcxMB4XDTE5MTAw
NDEwMjAwMloXDTIyMTAwMzEwMjAwMlowgbIxCzAJBgNVBAYTAk5MMRUwEwYDVQQI
DAxadWlkLUhvbGxhbmQxETAPBgNVBAcMCERlbiBIYWFnMQ8wDQYDVQQKDAZMb2dp
dXMxGjAYBgNVBAsMEVNlcnZpY2VtYW5hZ2VtZW50MR0wGwYDVQQFExQwMDAwMDAw
NDAwMzIxNDM0NTAwMTEtMCsGA1UEAwwkY3MtYmVkcmlqdmVuLnByb2Nlc2luZnJh
c3RydWN0dXVyLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApbhn
Lx0sVxtT6X2e4OPPE+IVe/zfnYaYT4cw7BjQeyNQpeI19gA1W6XIeTvuFyK8xzqm
avoB4JY9es9qCJiz6uMbi9IWirMJCWusvVRvxaEy1v6lyl70VdIPoc2u2ltxfwN9
4kMhlZZqLtfvdnVCGHnSTOAquWNscDT/tFBPCLsNDLzsCPFB091gGaIRYwiumTZU
w/888Rr1jB9ztIx0ALyFbdlXkfGrElTLu6zD5dPExga4diUPUuh5KRvZsUeY9vxg
C3504Pzs7FZK4ccw3VrF0XVjM3G28jjjIQOoMaguE4PIfOw+XVOvOTtyqM5Bylv6
ptObSJFt3NKS+2D/vQIDAQABo4ICJzCCAiMwOAYIKwYBBQUHAQEELDAqMCgGCCsG
AQUFBzABhhxodHRwOi8vcHJvY3NwLm1hbmFnZWRwa2kuY29tMB0GA1UdDgQWBBSH
18whNOGnde4SzggONtSWwSQlcTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFLjU
TJ+oW27aJadoju+MRhr+H1NlMIHXBgNVHSAEgc8wgcwwgckGCmCEEAGHawECCAYw
gbowQgYIKwYBBQUHAgEWNmh0dHBzOi8vY2VydGlmaWNhYXQua3BuLmNvbS9lbGVr
dHJvbmlzY2hlLW9wc2xhZ3BsYWF0czB0BggrBgEFBQcCAjBoDGZPcCBkaXQgY2Vy
dGlmaWNhYXQgaXMgaGV0IENQUyBQS0lvdmVyaGVpZCBQcml2YXRlIFNlcnZpY2Vz
IFNlcnZlciBjZXJ0aWZpY2F0ZW4gdmFuIEtQTiB2YW4gdG9lcGFzc2luZy4wXAYD
VR0fBFUwUzBRoE+gTYZLaHR0cDovL2NybC5tYW5hZ2VkcGtpLmNvbS9LUE5CVlBL
SW92ZXJoZWlkUHJpdmF0ZVNlcnZpY2VzQ0FHMS9MYXRlc3RDUkwuY3JsMA4GA1Ud
DwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwLwYD
VR0RBCgwJoIkY3MtYmVkcmlqdmVuLnByb2Nlc2luZnJhc3RydWN0dXVyLm5sMA0G
CSqGSIb3DQEBCwUAA4ICAQAw4I5qUh7q2+eO5KwuA3GtIqIzeyfg+/ac35fd6RqX
UB0UoxAg8ykFncYb8lbNc8DdBNZ+G3Rwdml+oe6yLlyWZcQnVgaN10LRoCM/xKz/
os4tEggBx80G4oqxOBXdnhMl2Ih9HkOSO9W4Vv5NHXUMjYJPUBoNcWp8Quw7ynRJ
SSXVwv+AmAhWwPTMSQ7EeMBaNm5chefD0Bwtcto4S9mWx8K7GWa06exWO0zAGeMZ
VcbgZ5a98cX++p69c1lw4Hc6lD63es+FG576OJGUQe6xTHm9DyYBgRfpf0atrTEt
YhwQw+7YP04UaNv2G8UYI2OuyO/Qot3IqJ4kZpvG2rQmVcyLGPv7csvd3lgG7sVK
0nn8H7TIqzg5KvhEY966/t6Wyr3yO81fw63vA0dONYjMV+nErhTY/1bUCay5yBLy
A/xZ1+GMw+iovpa+gsbZGB4Ypvp5SnenEQE0MyHr/20yD71uD5Ewcaf0fXDUvjTj
x2sAyYgXjv0EMXAv3WAUuikPJ28FjNAobNklOE3VbfaUGh386IaVKgC2SaN5kGrK
StcFijCFunpuO7uSWyJdrz+oyna97okIkBiUubCrj7eqbCr5ARnODwSxD/m4x6Vk
amG9dh9PiQnoSEE23En5cL1Khvnb5l6kIHhGButUmCRo0SDMoJUn62x1HbUK9Hdj
fQ==
-----END CERTIFICATE-----
1 s:C = NL, O = KPN B.V., CN = KPN PKIoverheid Private Services CA - G1
i:C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Services CA - G1
-----BEGIN CERTIFICATE-----
MIIGqDCCBJCgAwIBAgIIE0FcFEZu1TgwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE
BhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjE3MDUGA1UEAwwu
U3RhYXQgZGVyIE5lZGVybGFuZGVuIFByaXZhdGUgU2VydmljZXMgQ0EgLSBHMTAe
Fw0xNTExMjUwOTIzNTNaFw0yODExMTIwMDAwMDBaMFMxCzAJBgNVBAYTAk5MMREw
DwYDVQQKDAhLUE4gQi5WLjExMC8GA1UEAwwoS1BOIFBLSW92ZXJoZWlkIFByaXZh
dGUgU2VydmljZXMgQ0EgLSBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAO3DnqLneobPQChPAccWslF7BUTy9nL1Sx/2jMxaEqLLVHkw/58ia/Rcvemb
AS3pNfyQ10xVICaXkInG63iCwEmoeyY2LAZ86epNPsUcUKCF2aAP/s51LrCm/N4I
i2DEKGJtp21FxePLkDARk0aRB/617SfcJtNEzveqVSAU1DNmWyjlsEGvmfEhUxT2
LTSFwvaCFmvl519yh7dM/b8IoS2OKOZ5YJD+T7Isfs8mGAOSFFXfVUHtF0DYTRlu
PhsPx37fVM+vYl9yBlsixgZ+cDEkcWJHitIA9JjzFcJRRSZcUSlhSsbkkDjkrcc1
FTzSSZTZKgvKvc3bBWmH1RDno3Kua4QYdHn6uwH5kWqBUowDwmd7S/v3imjwtnHu
l8VuDfWYPXW81oeypprVfywXU5CZdEAkKFO5Ki5EgAf6GcaBRR8oT2fygC8lxHGX
Km6wJFVSis6aXMPi2KRMUDa+NObChV+iCLjU+7WSa5Yrc5h9z4GN1IZWykcGLEUX
c2Rat3N60ywu0QrHg7QJ3pGkWaY32hJKLlnsqOsPsb+UHOFVz9dXVQXvzb2qIUmO
IQeSGdQSqknjnwQihb6CNoFBMt2wQN9uoc+7rcvvm5Zk4BsoVyrEtcsYDlw7MuAS
J1YYDBG+4v4fHUhiZrc8hQraBJ2B7vjiz17mjG83FO32JdzzAgMBAAGjggFrMIIB
ZzBTBggrBgEFBQcBAQRHMEUwQwYIKwYBBQUHMAKGN2h0dHBzOi8vY2VydC5wa2lv
dmVyaGVpZC5ubC9Eb21Qcml2YXRlU2VydmljZXNDQS1HMS5jZXIwHQYDVR0OBBYE
FLjUTJ+oW27aJadoju+MRhr+H1NlMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0j
BBgwFoAUPq+oD4eiLEF7FGwb89to05KnRKgwXQYDVR0gBFYwVDAMBgpghBABh2sB
AggEMAwGCmCEEAGHawECCAUwNgYKYIQQAYdrAQIIBjAoMCYGCCsGAQUFBwIBFhpo
dHRwczovL2Nwcy5wa2lvdmVyaGVpZC5ubDBNBgNVHR8ERjBEMEKgQKA+hjxodHRw
Oi8vY3JsLnBraW92ZXJoZWlkLm5sL0RvbVByaXZhdGVTZXJ2aWNlc0xhdGVzdENS
TC1HMS5jcmwwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBDj6Wr
J0tZl05o+0SuI85YDOBvPCCFb/9gmlVqcxA/H9ubw83D7foD2WAHyEhQC89eEXpF
yJ4Wr2N9WtWFSatarsnD81kpDN7N31jjCwnmt6w+0SsMIrt0rf4hg6NDKII7bh1F
ZREsxBuEWLmLnlGPyJHRkwacyiQUnaEqNP9XX52NnwXRtmlIjnKiTldemlzQ9RMQ
Ui2v4FkuNQfvOOWa5jN0LdTH7ZMTNbd+hTshLW6yaSVBHe5HZBEAHwTvLhee0HG6
kUFvbcpgo3cqPg8ZJeosQUcfwP/gXqtC3ryJEP3w3ssro/Mr4RIHgm0kYZinPX+v
nBVCz99DH1DMArwYprfEXywtvjYtxfWebA7jUquKuVE6sWA5/wEGy1HuDssD/mIm
5vXqA6TyABqnFDpG4XqzgKrl3TeM8WUS2ytstjvICv/oPnJfG60Cc1qvF6XMoMgO
vPIsJ7sihzuA7GgDei8T/2bOcRxq2/Hy+upGjcYTIZrXXWYxCtbC+ltWMLMrDyTt
5NcDFmVRkyIkIknetHhj1kFxv2fheCHuorWPFhOTAg/EeLwA5d0Uc4G/M1P/foJ4
8K8If9cE9ewKLwZiKYcwmLL2VHpANCFjboc/36RBBdaNB3WfytSLZ4HtRHQpvyIF
EkgavatxnVMZu4+hZrzVVZxK6xSFUloioup3lw==
-----END CERTIFICATE-----
2 s:C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Services CA - G1
i:C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Root CA - G1
-----BEGIN CERTIFICATE-----
MIIGoTCCBImgAwIBAgIEAJimiDANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJO
TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMTMwMQYDVQQDDCpTdGFh
dCBkZXIgTmVkZXJsYW5kZW4gUHJpdmF0ZSBSb290IENBIC0gRzEwHhcNMTMxMTE1
MTAwNDEzWhcNMjgxMTEyMjMwMDAwWjBmMQswCQYDVQQGEwJOTDEeMBwGA1UECgwV
U3RhYXQgZGVyIE5lZGVybGFuZGVuMTcwNQYDVQQDDC5TdGFhdCBkZXIgTmVkZXJs
YW5kZW4gUHJpdmF0ZSBTZXJ2aWNlcyBDQSAtIEcxMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAvwOIqjkS4zOz5/8mp/xJ0N2031fQVS53AwimkLBrkqut
ypo0dZKyn4JEoNs2KmwdjMNC4TWWn8aagdAzL0e8pIdJwuswDb2S5yKRCs1cvaTH
op+ueVc8QoQbiQXx25ryJn0c+Se3DTo+0DGljnf+UXUqoDSnV0upptEt+yM7m17W
ndBUzOUk/hh6dw63gkHSJn9fiN/Apd5iRH+fnAr6AE6uKcSYtjkrr4mt64WJCLFM
9aISg3eplf3Gqv7Pzr7AVxr/VAMuSLz9EQdMveOYEqzjxDZJptvrGAmfFMYPkEDC
yXPXF8Njbh5CVdCiaJye2dJXvYwnUtTCBs8Qbcf7Fzl5NFKEB7bvmY85kGZV5SJd
3EPbSiNUtMZ2Dx5trC9NxobI4iOIdzIGx8t+lZ2hOSrBhidgXBa2AkbxqdVl+ibY
wI2FOtdXg/EQzps2owvQST4uQAqthHsR2bGcAoKASXNSuBNrzUz0eu84k/Si/aPy
Q1Yo3AkqC5qkX6QQP5JzjrTXTcoxsKYsqNdxyACA80/D0RXX5yNTMfMoAPl/n1Ax
D8h1LB1tf3uiDImTkfU0Fjorqe7oTJdtWQLep+e+CVcDpuSzssk+6aKZnKESOzv6
S+V85Z+iHfELSRku64dMZL6i4Yzr0MPidxwAvZGg7nuf48ruKeyE8C81V/fT2RcC
AwEAAaOCAVkwggFVMA8GA1UdEwEB/wQFMAMBAf8wXQYDVR0gBFYwVDAMBgpghBAB
h2sBAggEMAwGCmCEEAGHawECCAUwNgYKYIQQAYdrAQIIBjAoMCYGCCsGAQUFBwIB
FhpodHRwczovL2Nwcy5wa2lvdmVyaGVpZC5ubDBLBggrBgEFBQcBAQQ/MD0wOwYI
KwYBBQUHMAKGL2h0dHA6Ly9jZXJ0LnBraW92ZXJoZWlkLm5sL1ByaXZhdGVSb290
Q0EtRzEuY2VyMA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQq/bkrHvrDhIcG
24H/hpd1DesBizBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3JsLnBraW92ZXJo
ZWlkLm5sL1ByaXZhdGVSb290TGF0ZXN0Q1JMLUcxLmNybDAdBgNVHQ4EFgQUPq+o
D4eiLEF7FGwb89to05KnRKgwDQYJKoZIhvcNAQELBQADggIBAD679+kWzn1Qf9Nv
GMlO+HFSTXmJ1M5/SMnbaXJCa1EHMzL7KErSc5BnQcwjV4HCrtQB9hRc6tzso2tE
PAj9ytopNIvCelnW9ooYQ7wLuNErZU+LNYyOad7+pP+YSmwsIKF8wSBjz6IFgC+9
NtWjNL00enDXPo0/gcVTAuwUuk2qXH4qhqU3IhnstHWgnlOH+dS1UsJR1Za+JTFa
9mxy9vDC/D/MbFYcUd88M3QZ1aadUjZAbLR6dhZGsuFJSqX2Ck7F1ZNt48Hd2uB1
DRYBedT7w+D/lKoJMz5XsYAVZx7yon3aohz+7SiuaQrvB6zo8HkMTRDGR1SKvguc
yposE1o3SCkutP34xNvAG3Ykuop9J4vjdfmJ5G22eHwclbi037jGc2xv64KSanS9
09VDFO4KCrKICwEUG4n36Dg8gEdYNLukZBvnH9LPdVao7cl8S6Clpd1JTTnMl1KD
IVjICvggNklD0A+9Zl6o25ongji1F9SGLVy9LHkmymGybAvWvYTZJaOmzYtdxwih
KxywNovJruAnD37+T63lt5S/FSpLSjOfKj0dvBxCPPeNs2B418/A3HTGz63e2dCV
T+QOH14xfKJ+k9/ZFr5XuhkingMUG6vZeND4HWVJzc4mq6Ic27QKS9ulmcUdYos+
0nOnmkmh5knv11C1n8YATbQjZh0i
-----END CERTIFICATE-----
3 s:C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Root CA - G1
i:C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Private Root CA - G1
-----BEGIN CERTIFICATE-----
MIIFhDCCA2ygAwIBAgIEAJimITANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJO
TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMTMwMQYDVQQDDCpTdGFh
dCBkZXIgTmVkZXJsYW5kZW4gUHJpdmF0ZSBSb290IENBIC0gRzEwHhcNMTMxMTE0
MTM0ODU1WhcNMjgxMTEzMjMwMDAwWjBiMQswCQYDVQQGEwJOTDEeMBwGA1UECgwV
U3RhYXQgZGVyIE5lZGVybGFuZGVuMTMwMQYDVQQDDCpTdGFhdCBkZXIgTmVkZXJs
YW5kZW4gUHJpdmF0ZSBSb290IENBIC0gRzEwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDaIMh56ynwnEhE7Ey54KpX5j1XDoxbHDCgXctute55RjmG2hy6
fuq++q/dCSsj38Pi/KYn/PN13EF05k39IRvakb0AQNVyHifNKXfta6Tzi5QcM4BK
09DB4Ckb6TdZTNUtWyEcAtRblYaVSQ4Xr5QODNqu2FGQucraVXqCIx81azlOE2Jb
Zli9AZKn94pP57A11dUYhxMsh70YosJEKVB8Ue4ROksHhb/nnOISG+2y9FD5M8u8
jYhp00TGZGVu5z0IFgtqX0i8GmrH0ub9AWjf/iU4MWjGVRSq0cwUHEeKRj/UD9a8
xIEn9TxIfYj+6+s4tn9dW/4PV5jc6iGJx6ExTPfOR7VHpxS4XujrZb5Ba/+oj/ON
dOfR0JSm2itCytbtjQBBL0oocIIqaqOna1cufHkcn9VleF7Zvz/8njQIpAU4J4nJ
4pE5pQ3k4ORAGNnq5R9hAqqUQGDlo3Uj8PBou0nPzQ7JNgGkN+my/lGr4rceUNK/
8CoGnYFUH+UyFtJkvlLlEkb688/IdNdGgY+vuXCAB6xfKlJjAGChFUBb6swbNeNc
tVEdUj7Weg4Jt5gXu78C2mjs9x5lcHOgMO4ZmvYJ3Ejp4k3nNa45HOIVkYrfQrrB
HzBhR0BuReAagurcbtUjJFd7BtufGVLfU3CUn1l6u3/9eG4DGH6pq+dSKQIDAQAB
o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU
Kv25Kx76w4SHBtuB/4aXdQ3rAYswDQYJKoZIhvcNAQELBQADggIBAEvpmXMOOKdQ
wUPysrsdIkGJUFF+dvmsJDiOuAqV0A1nNTooL3esvDLEZAWZwKTOwRomnHzeCfS/
QxRKTkVX21pfrHf9ufDKykpzjl9uAILTS76FJ6//R0RTIPMrzknQpG2fCLR5DFEb
HWU/jWAxGmncfx6HQYl/azHaWbv0dhZOUjPdkGAQ6EPvHcyNU9yMkETdw0X6ioxq
zMwkGM893oBrMmtduiqIf3/H6HTXoRKAc+/DXZIq/pAc6eVMa6x43kokluaam9L7
8yDrlHbGd2VYAr/HZ0TjDZTtI2t2/ySTb7JjC8wL8rSqxYmLpNrnhZzPW87sl2OC
FC3re3ZhtJkIHNP85jj1gqewTC7DCW6llZdB3hBzfHWby0EX2RlcwgaMfNBEV5U0
IogccdXV+S6zWK4F+yBr0sXUrdbdMFu+g3I9CbXxt0q4eVJtoaun4M2Z+bZMqZvy
9FryBdSfhpgmJqwFz2luOhPOVCblCPhLrUeewrvuBXoZQWt1ZjuHfwJZ1dgjszVE
qwY9S0SdqCg2ZlL9s3vDIrrd3wLWrcHLQMd9gwsppNv9c7JfIJdlcZLTmF9EuL6e
CvVVrqBVqLHjva4erqYol6K/jbSfUtRCy8IlFU7LYu1KLehZKYvj3vekj3Cn08Aq
ljr/Q8Pw+OfUZTzKg4PVDQVfFqKtyosv
-----END CERTIFICATE-----
---
Server certificate
subject=C = NL, ST = Zuid-Holland, L = Den Haag, O = Logius, OU = Servicemanagement, serialNumber = 00000004003214345001, CN = cs-bedrijven.procesinfrastructuur.nl

issuer=C = NL, O = KPN B.V., CN = KPN PKIoverheid Private Services CA - G1

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7261 bytes and written 486 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5DBB1041D643EE5E067C4AB1E341249E294A4642599D2CFE403A64ACCA0EE1DA
Session-ID-ctx:
Master-Key: 64D92CB8CFE87EB78713E705F986690BB8F1439A112CA4480F08120F5F5D449BC03220A8C29FFB230FC23C4B7F9E5666
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1572540472
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
220 Welcome to cs-bedrijven.procesinfrastructuur.nl OTPi environment
^C

The server is publically availabe so you should be able to test by importing the latest cert in the OpenSSL output into the root store.

Tested with both the latest stable version and 5.16.1 beta.

winscp-cert-error.png

Reply with quote

Advertisement

freaky
Joined:
Posts:
2

Hi Martin,

I had seen that post. Unfortunately it doesn't help at all. Nothing appears in the Windows event logs, the mentioned services are running and not giving errors and the root CA has been imported into the machine's root CA store where it works fine for other applications like IE.

What does work is storing the certificate, in PEM format, in cacert.pem in the root installation folder.

It seems horribly broken to me, but apparently so far little users have had the need so far. Seems to me there's either a very limited userbase needing non-standard root CA's or they are fine with accepting the certificate once manually.

Unfortunately we need to use it in a Citrix farm with dozens of servers and very strict user profiles (not all settings are retained), so for us it's pretty important to have it trusted by default as it would bug the user (nearly) each and every time otherwise with a certificate warning.

From what I got from the post I saw which you also linked we're not supposed to use the cacert.pem file. But it seems the only way I can get it to work right now.

I'm fine with running a debug version and providing it's logs/output if you'd be so kind to ship me one :).

Thanks

Reply with quote

Advertisement

You can post new topics in this forum