This project is read-only.

Private Key Issue

Jan 22, 2009 at 2:53 PM

Alex,

A very nice project you created! I am currently using CuteFTP pro 8.0 to connect to a FTPS server(WS FTP Server). In CuteFTP, I need to select locations of the client certificate and private key in order to make the connection. In FTPS client, however, I couldn't seem to find a way to provide the private key to the client which is required by the server. Without providing the private key, I got "authentication failed because the remote party has closed the transport stream" when connecting to the server via the FTPS.

Am I mssing something here? Thanks.

Fleming

Jan 22, 2009 at 9:23 PM
Edited Jan 22, 2009 at 9:26 PM
Fleming,

certificate files can cantain or not the related private key.

Using AlexFTPS on Windows, just add your certificate along with the private key to your personal certificate store, exactly as you would do with Internet Explorer, and then call AlexFTPS passing the certificate file (without the private key) with the following option:

-sslClientCertPath <path/to/cert/file>

The Windows CryptoApi will fetch the private key from the protected store based on the (public) certificate you are providing. This is a quite safe solution, as you don't have to keep the private key on the file system.

Using Mono (e.g.: on Linux or Mac OS X), pass the certificate along with the private key in a single file to AlexFTPS (with the -sslClientCertPath option) in a suitable format (e.g.: PKCS#12).

If you need more help about that, please let me know the OS you are using (Windows, Linux, Mac OS X).

Don't forget to check the explicit / implicit FTPS settings required by your server. When using implicit FTPS add -ssl Implicit to the AlexFTPS command line and optionally set -port accordingly.


Cheers,

Alessandro 

Jan 23, 2009 at 2:05 AM
Alessandro,

Thanks for the pointer. Here is more info: I have the x.509 certifcate file a.cert and the private key file a.key. I tried to import the certificate into Windows via IE or Certmgr. Neither asked for the private key file and the certificate didn't show up in the store and I got the sucessful message. Therefore, I figured there was something I did wrong. I then created a p12 file with a.cert and a.key and tried to import again. This time, it worked. I know because it asked for the passphrase of a.key and the certificate showed up in the store.

I then tested again by issuing: ftps -h myserver -port 21 -sslClientCertPath c:\a.cert -U mylogin -l.  and I still got "authentication failed because the remote party has closed the transport stream" 

I am testing this on Windows 2008 64 bit. The remote server is WS FTP server on Unix. Please let me know if there is more info you need. Thanks!

Fleming

Jan 23, 2009 at 10:36 AM
Hmmm

Two more things.

1) Export the certificate (without the private key) from teh store:
  • In your personal certificate store, look for your client certificate
  • right click -> Open and check that the matching private key is loaded
  • right click -> All Tasks -> Export  
  • When it asks wheter to export the private key, say no
  • Format, leave the default choice: DER encoded binary
  • Choose a location and filename (e.g.: c:\exported.cer)
Test it:

ftps -h myserver -port 21 -sslClientCertPath c:\exported.cer -U mylogin  -l

If it does not work, your server might have been configured with Implicit FTPS :

2) Try an implicit FTPS connection:

Port 21:

ftps -h myserver -port 21 -sslClientCertPath c:\exported.cer -U mylogin -ssl Implicit -l

Port 990 (default for implicit FTPS):

ftps -h myserver -sslClientCertPath c:\exported.cer -U mylogin -ssl Implicit -l

Hope this helps!


Cheers,

Alessandro


Jan 23, 2009 at 4:29 PM
1. After Open the certificate, in the General tab, I saw "you have a private key corresponds to this certificate". This is about the only thing I saw related to the private key. Tried to export the certificate, when it asks whether to export the private key, the Yes option was diabled. Only No option was available. Does this mean the private key wasn't imported right?e.g. the p12 file I created wasn't right even though it got imported ok?
2. Tried Implicit mode. I got "The handshake failed due to an unexpected packet format". Tried port 990 and I got "No connection could be made. The target machine actively refused it".

I do however have more discoveries:
1. When using (ftps -h myserver -port 21 -sslClientCertPath c:\exported.cer -U mylogin -sys) to get info about the remote system, I got "UNIX" retruend from the server without error message.
2. When using (ftps -h myserver -port 21 -sslClientCertPath c:\exported.cer -U mylogin -l) to list the remote directory. I got the root path returned correctly but no sub directoies and a "authentication failed because the remote party has closed the transport" error message right after that.
3. When using ((ftps -h myserver -port 21 -sslClientCertPath c:\exported.cer -U mylogin -g /myfile). I got "error: coud not get the requested file".

I think I am connected to the server successfully. It's just when I tried to do either -l or -g, it didn't work. It's either the encryption part with the private key or maybe server switched to another port to send data back as in passive mode? I can email all cert files etc directly to you if you need to do some testing.

Thanks for the quick reply!
Jan 23, 2009 at 4:40 PM
Edited Jan 23, 2009 at 4:43 PM
Fleming,

1) (…) when it asks whether to export the private key, the Yes option was diabled.

This is correct, Windows protects the private key that way.

2) Ok

Yes, I can test it. Please send me a p12 client cert file along with a server host name, username and password by email (info <at> pilotti.it)

Cheers,

Alessandro

Jan 23, 2009 at 5:44 PM
it should be in your InBox now..
Jan 23, 2009 at 6:05 PM
Fleming,

I was able to reproduce your problem.

It works by specifying -ssl ControlChannelRequired which means that the control channel is encrypted and the data channel not.

I tested it with a directory list. It should also work getting/putting files. I checked for a file to get for a test but didn't find any and I didn't want to look around in your server! :-)

I'm currently checking why the data channel forces a connection shutdown when encrypted.

Cheers,


Alessandro
Jan 23, 2009 at 6:39 PM
wow, it worked! Many thanks!
Apr 27, 2009 at 8:27 PM
hi
im having self signed certificate for ftp server installed (vsftpd). I created a new certificate for a client and signed it using this self signed certificate. I want to allow client only if he is having this server signed certificate. my question is is it possible? yes or no?

thanks
nione kamgi
Apr 28, 2009 at 8:55 AM
Hi Nione,

you should ask this question to the vsftpd guys:  http://vsftpd.beasts.org/

AlexFTPS supports client certificates, but the feature needs to be supported by the server.


Cheers,

Alessandro