Not understanding certificate failures :: Support Forum

Obee
Joined:: 2023-09-26
Posts:: 5
Location:: us

Not understanding certificate failures

2023-09-26 22:23

Using WinSCP 5.19.6 (cannot upgrade version because another unit "owns" the application)
Trying to connect to a remote server using

ftpes:// -rawsettings MinTLSVersion=12 MaxTLSVersion=13

Certificate is from our agency's PKI, it is installed in the Windows store on the remove server and should be fully trusted
Certificate gives its thumbprint as SHA1. WinSCP log gives it as SHA256. Have confirmed the two match.
Part of debug log:

< 2023-09-26 13:55:48.579 234 AUTH command ok. Expecting TLS Negotiation.
. 2023-09-26 13:55:48.579 No data to read
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS write client hello
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server hello
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server certificate
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server key exchange
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server done
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write client key exchange
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write change cipher spec
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write finished
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write finished
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS read change cipher spec
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS read finished
. 2023-09-26 13:55:48.610 Verifying certificate for "agency name" with fingerprint xxx and 20 failures
. 2023-09-26 13:55:48.610 Certificate for "agency name" matches cached fingerprint and failures
. 2023-09-26 13:55:48.610 Using TLSv1.2, cipher TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
< 2023-09-26 13:55:48.610 Script: TLS connection established. Waiting for welcome message...
. 2023-09-26 13:55:48.610 TLS connection established. Waiting for welcome message...

QUESTION: How do I find out what is causing the failures? The certificate is valid, unsure why we're getting failures.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,121
Location:: Prague, Czechia

Re: Not understanding certificate failures

2023-09-28

Did you test the connection on a standard Windows installation (not corporate-managed one?)

Reply with quote

Obee

Re: Not understanding certificate failures

2023-09-28 18:02

Unfortunately firewall rules prevent me from testing anywhere except from the one allowed source to the one allowed destination.

Reply with quote

martin◆ Site Admin

Re: Not understanding certificate failures

2023-10-02

Please remove the certificate from the WinSCP cache and post complete session log file.

Reply with quote

Obee
Joined:: 2023-09-26
Posts:: 5
Location:: us

Re: Not understanding certificate failures

2023-10-04 18:50

Done. File uploaded as attachment, is private.

ftplog10-04-23.txt (16.54 KB, Private file)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,121
Location:: Prague, Czechia

Re: Not understanding certificate failures

2023-10-05

There's no failure, the certificate was successfully verified:

. 2023-10-04 10:39:07.031 Certificate verified against Windows certificate store

Reply with quote

Obee

Re: Not understanding certificate failures

2023-10-05 14:33

Thanks, I do understand that. It's the part at the end of that same line in the log "and 20 failures" that I do not understand. What is failing before the success? Can the failures be eliminated? I have tried moving the order of the cipher suites around but it doesn't change the message.

Reply with quote

martin◆ Site Admin

Re: Not understanding certificate failures

2023-10-08

That is a result of certificate check in OpenSSL library. Unless you have a local OpenSSL certificate storage that can validate the certificate, you will always see that. Why do you want to eliminate it? What is the problem?

Reply with quote