#10916 closed Bug report (rejected)
"Received certificate chain could not be verified. Verification status is 66" since version 3.20.0
| Reported by: | lc_cbhp | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | TLS certificate chain strict validation tofu | Cc: | |
| Component version: | 3.20.0 | Operating system type: | Windows |
| Operating system version: | 10 |
Description
After upgrading from FileZilla Client version 3.19.0 to 3.20.0, a secured connection to a ftp server is no more possible.
Status: Resolving address of lidame.lima-ftp.de
Status: Connecting to 62.113.217.13:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: Received certificate chain could not be verified. Verification status is 66.
Error: Could not connect to server
Version 3.20.0 added a new feature called "Stricter certificate chain validation to supplement the Tofu model". Maybe there is an bug or a side effect?
Version 3.19.0 works pretty well.
Attachments (2)
Change History (7)
by , 8 years ago
| Attachment: | debug_log_3.19.0_working.txt added |
|---|
comment:1 by , 8 years ago
The server provides a wildcard certificate for the customers.
Certificate in chain:
0:
Common Name: *.lima-ftp.de
Certificate Issuer: StartCom Class 2 Primary Intermediate Server CA
1:
Common Name: StartCom Class 2 Primary Intermediate Server CA
Certificate Issuer: StartCom Certification Authority
follow-up: 3 comment:2 by , 8 years ago
| Resolution: | → rejected |
|---|---|
| Status: | new → closed |
The server sends a malformed certificate chain.
For reference, see https://tools.ietf.org/html/rfc5246#page-48:
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it.
Your server sends 4 certificates A, B, C, D with A signed by D, C signed by B and D signed by C.
Please contact your server administrator or server hosting provider for assistance so that the certificates can be arranged in the correct order mandated by the TLS specifications.
comment:3 by , 8 years ago
| Resolution: | rejected |
|---|---|
| Status: | closed → reopened |
Replying to codesquid:
The server sends a malformed certificate chain.
As you can see in my previous post, the servers sends the certificates in correct order.
comment:4 by , 8 years ago
| Resolution: | → rejected |
|---|---|
| Status: | reopened → closed |
Well it doesn't send them in the correct order, it's not even a wildcard certificate:
$ gnutls-cli -s --crlf -p 21 lidame.lima-ftp.de
Processed 175 CA certificate(s).
Resolving 'lidame.lima-ftp.de'...
Connecting to '62.113.217.13:21'...
- Simple Client Mode:
220-##########################################################################
220- FTP-Zugang von www.lima-city.de
220- Es gelten unsere AGB und Regeln.
220- Lies bei Fragen oder Problemen bitte zuerst in unseren Hilfetexten nach.
220-##########################################################################
220 Dies ist ein privates System - Keine anonyme Anmeldung m▒glich.
AUTH TLS
234 AUTH TLS OK.
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=PositiveSSL,CN=zeus.lima-premium.de', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-09-01 00:00:00 UTC', expires `2016-08-31 23:59:59 UTC', SHA-1 fingerprint `613374289f586c3ab041ca47a71b451440530289'
Public Key ID:
87d79b8943d72ea8e47864752de77a856b5bb970
Public key's random art:
+--[ RSA 2048]----+
| |
| |
| . |
| ...o.o |
| S.+.o+.. |
| o+ + =o o|
| o. + =o.E.|
| +.. ...*..|
| ..o o.o |
+-----------------+
- Certificate[1] info:
- subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `02faf3e291435468607857694df5e45b68851868'
- Certificate[2] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0'
- Certificate[3] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', SHA-1 fingerprint `339cdd57cfd5b141169b615ff31428782d1da639'
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
comment:5 by , 8 years ago
https://ftptest.net/ has been updated to now also show and validate the received certificate chain.
debug log, version 3.19.0, working