-certificate switch?

Advertisement

gregb
Joined:
Posts:
6

-certificate switch?

WinSCP 5.17.3

WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.

Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"31:a0:0f:ff:69:cc:9b:d5:10:df:98:36:b8:74:a5:9b:62:27:b1:87"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound



Invalid Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound


No Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound

PS C:\Windows> exit

Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.

Has something changed over time that I've missed in the release notes?

Graciously,
Greg

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: -certificate switch?

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, use /log=C:\path\to\winscp.log command-line argument. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

gregb
Joined:
Posts:
6

winscp.log attached

Hi Martin,
Log file attached. I was able to successfully connect with:
-certificate=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa

Greg
  • winscp.log (11.46 KB, Private file)
Description: sanitized log

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: winscp.log attached

Your log files shows that the certificate is signed with a trusted authority, so the -certificate switch is not needed.

. 2020-06-29 08:51:34.074 Certificate verified against Windows certificate store

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum