Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#10916 closed Bug report (rejected)

"Received certificate chain could not be verified. Verification status is 66" since version 3.20.0

Reported by: lc_cbhp Owned by:
Priority: normal Component: FileZilla Client
Keywords: TLS certificate chain strict validation tofu Cc:
Component version: 3.20.0 Operating system type: Windows
Operating system version: 10

Description

After upgrading from FileZilla Client version 3.19.0 to 3.20.0, a secured connection to a ftp server is no more possible.
Status: Resolving address of lidame.lima-ftp.de
Status: Connecting to 62.113.217.13:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: Received certificate chain could not be verified. Verification status is 66.
Error: Could not connect to server

Version 3.20.0 added a new feature called "Stricter certificate chain validation to supplement the Tofu model". Maybe there is an bug or a side effect?
Version 3.19.0 works pretty well.

Attachments (2)

debug_log_3.19.0_working.txt (7.0 KB) - added by lc_cbhp 3 years ago.
debug log, version 3.19.0, working
debug_log_3.20.0_failure.txt (2.8 KB) - added by lc_cbhp 3 years ago.
debug log, version 3.20.0, failure

Download all attachments as: .zip

Change History (7)

Changed 3 years ago by lc_cbhp

debug log, version 3.19.0, working

Changed 3 years ago by lc_cbhp

debug log, version 3.20.0, failure

comment:1 Changed 3 years ago by lc_cbhp

The server provides a wildcard certificate for the customers.

Certificate in chain:

0:

Common Name: *.lima-ftp.de
Certificate Issuer: StartCom Class 2 Primary Intermediate Server CA

1:

Common Name: StartCom Class 2 Primary Intermediate Server CA
Certificate Issuer: StartCom Certification Authority

comment:2 Changed 3 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

The server sends a malformed certificate chain.

For reference, see https://tools.ietf.org/html/rfc5246#page-48:

certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following

certificate MUST directly certify the one preceding it.

Your server sends 4 certificates A, B, C, D with A signed by D, C signed by B and D signed by C.

Please contact your server administrator or server hosting provider for assistance so that the certificates can be arranged in the correct order mandated by the TLS specifications.

comment:3 in reply to:  2 Changed 3 years ago by lc_cbhp

Resolution: rejected
Status: closedreopened

Replying to codesquid:

The server sends a malformed certificate chain.

As you can see in my previous post, the servers sends the certificates in correct order.

comment:4 Changed 3 years ago by Tim Kosse

Resolution: rejected
Status: reopenedclosed

Well it doesn't send them in the correct order, it's not even a wildcard certificate:

$ gnutls-cli  -s --crlf -p 21 lidame.lima-ftp.de
Processed 175 CA certificate(s).
Resolving 'lidame.lima-ftp.de'...
Connecting to '62.113.217.13:21'...

- Simple Client Mode:

220-##########################################################################
220- FTP-Zugang von www.lima-city.de
220- Es gelten unsere AGB und Regeln.
220- Lies bei Fragen oder Problemen bitte zuerst in unseren Hilfetexten nach.
220-##########################################################################
220 Dies ist ein privates System - Keine anonyme Anmeldung m▒glich.
AUTH TLS
234 AUTH TLS OK.
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=zeus.lima-premium.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-09-01 00:00:00 UTC', expires `2016-08-31 23:59:59 UTC', SHA-1 fingerprint `613374289f586c3ab041ca47a71b451440530289'
        Public Key ID:
                87d79b8943d72ea8e47864752de77a856b5bb970
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |                 |
                |             .   |
                |         ...o.o  |
                |        S.+.o+.. |
                |        o+ + =o o|
                |       o. + =o.E.|
                |       +.. ...*..|
                |      ..o    o.o |
                +-----------------+

- Certificate[1] info:
 - subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `02faf3e291435468607857694df5e45b68851868'
- Certificate[2] info:
 - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0'
- Certificate[3] info:
 - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', SHA-1 fingerprint `339cdd57cfd5b141169b615ff31428782d1da639'
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed

comment:5 Changed 3 years ago by Tim Kosse

https://ftptest.net/ has been updated to now also show and validate the received certificate chain.

Note: See TracTickets for help on using tickets.