Incessant certificate warnings
We use WinSCP Portable (of varying versions) to connect to an AWS GovCloud S3 bucket via DoD devices. Initial connection goes fine, but after a variable number of operations (usually file copies) an alert appears for an untrusted connection. The certificate issuer is DHA (Defense Helth) which means it's part of DHA's "man in the middle" packet inspection. The problem is selecting "yes" to continue and store the certificate does nothing other than putting the fingerprint in the winscp.ini file. There's just an endless series of those alerts in no discernable pattern which essentially makes Winscp useless for us.
I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .net code). -certificate * looked promising in the .ini (to be narrowed down if that worked), but made no difference, nor did I find anything applicable or germane in the Raw Settings for that session.
Any way out of this? This has put us at a bit of a standstill. Thanks!
I ran the log in debug and below is all that it had re certificates.
. 2025-06-13 16:05:58.130 Doing SSL negotiation.
. 2025-06-13 16:05:58.280 ssl: Verify callback @ 2 => 20
. 2025-06-13 16:05:58.280 ssl: Verify failures |= 8 => 8
. 2025-06-13 16:05:58.295 Chain depth: 3
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 Identity match for 's3.us-gov-west-1.amazonaws.com': good
. 2025-06-13 16:05:58.295 Verifying certificate for "*.s3-us-gov-west-1.amazonaws.com" with fingerprint 4e:80:b7:a9:31:3f:4d:55:ee:7e:fb:f8:85:a6:e0:e7:09:a5:9c:2f:26:ed:c7:2f:c7:54:8d:c6:8d:ff:e7:7b and 08 failures
. 2025-06-13 16:05:58.418 Certificate verified against Windows certificate store
I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .net code). -certificate * looked promising in the .ini (to be narrowed down if that worked), but made no difference, nor did I find anything applicable or germane in the Raw Settings for that session.
Any way out of this? This has put us at a bit of a standstill. Thanks!
I ran the log in debug and below is all that it had re certificates.
. 2025-06-13 16:05:58.130 Doing SSL negotiation.
. 2025-06-13 16:05:58.280 ssl: Verify callback @ 2 => 20
. 2025-06-13 16:05:58.280 ssl: Verify failures |= 8 => 8
. 2025-06-13 16:05:58.295 Chain depth: 3
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 Identity match for 's3.us-gov-west-1.amazonaws.com': good
. 2025-06-13 16:05:58.295 Verifying certificate for "*.s3-us-gov-west-1.amazonaws.com" with fingerprint 4e:80:b7:a9:31:3f:4d:55:ee:7e:fb:f8:85:a6:e0:e7:09:a5:9c:2f:26:ed:c7:2f:c7:54:8d:c6:8d:ff:e7:7b and 08 failures
. 2025-06-13 16:05:58.418 Certificate verified against Windows certificate store