Certificate validation

Hi

While I understand WinSCP uses the Windows Certificate Store to validate certificates for connections, it appears it does not use it when checking for updates.

We have SSL interception on and when checking for updates I see a certificate chain error and it fails to check for updates. The RootCA certificate is in the Windows certificate store as a Trusted CA nd works for everything else.

I've found other posts discussing that WinSCP does use the Windows Certificate Store for S3 connections etc (not that I've tried that) but I'm guessing the update lookup is just missing that piece of validation code.

All HTTPS connections (updates, S3, WebDAV) use the same mechanism for verifying the certificates. So all use Windows certificate store, via CertVerifyCertificateChainPolicy.
Can you post the exact error message you are getting?

I'm seeing this when SSL Decryption is enabled

Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted

Excluding winscp.net from SSL Decryption makes checking for updates work normally. Our RootCA cert is installed in the machine cert store under Trusted Root Certification Authorities and working fine for everything else

Does "everything else" include another open source software, that I can check?

Git for Windows with the
command run works fine.

As does Python with the pip-system-certs extension loaded.

Thanks. I'll look into it.

I did check Git source code (or actually Curl code, as that's what Git uses for HTTP[S]) and the code seems pretty much the same as what WinSCP is doing.

Do you think it's possible for me to somehow configure my Windows to behave like yours? Do you know what exactly causes WinSCP to fail the certificate validation?

I have added this issue to the tracker:
Issue 2212 – Updates check fail because winscp.net certificate cannot be validated
You can vote for it there.