Why does AlexFTPS complaints "WARNING: SSL/TLS remote certificate chain errors"?

Jan 20, 2009 at 1:32 PM
I use FileZilla Server as FTP Server, and create a certificate by FileZilla Server.
The Subject and Issuer are same.
But when I use AlexFTPS connect to my server through SSL.
It complaints "WARNING: SSL/TLS remote certificate chain errors".
The CN(common name) is the same as the IP of my ftp server.
What cause this complaint?
Coordinator
Jan 20, 2009 at 2:54 PM
Hi Jetsun,

This is a design feature of SSL/TLS. A remote certificate chain error means that the certificate CN is ok, but the CA which issued the certificate is not trusted. The certificate you are using is a self signed certificate generated by FilZilla server.
Depending on the platform you are using (.Net framework on Windows, Mono on Linux or Mac OS X) you could add the CA certificate to the trusted CA store handled by the OS. Please let me know if you need more advices on this.
 
To ignore this warning, just add: -sslInvalidServerCertHandling Accept to the command line.

Cheers
Feb 9, 2009 at 10:22 PM
Is there a way to set sslInvalidServerCertHandling to Accept using the API?
Coordinator
Feb 9, 2009 at 10:51 PM
Hi,

Yes, just implement a RemoteCertificateValidationCallback delegate and pass it to the Connect method as in the following code snippet:

private static bool ValidateTestServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
     // Accept any certificate
     return true;
}

client.Connect(..., new RemoteCertificateValidationCallback(ValidateTestServerCertificate), ...);

You might also add some more complex logic, based on your needs. The certificate, chain and sslPolicyErrors parameters provide the necessary context.

Cheers,

Alessandro


Aug 21, 2012 at 3:32 AM

Hi -

I am using FTPS IIS 7.5  and I created a self signed certificate from within the IIS manager.  When I run this software from the command line I get this warning message that is slightly different from the one above however I was wondering is it the same fix?  Do I need to generate a cert from a trusted source to fix the SSL/TLS remote certificate name mismatch error or is this a different issue? If so how do I input this cert once I order it into the IIS 7.5 manager?  I see a place under Server Certifications then import certs under action but it also ask for a password kind of confusing.    Let me know.

Thanks

C:\Program Files\ALEX FTPS>ftps -h 172.12.80.156 -U doej -P xxxxxxxxxx -ssl
ControlAndDataChannelsRequired  -sslInvalidServerCertHandling Accept -l
Alex FTPS version 1.1.0
Copyright (C) Alessandro Pilotti 2008-2009

http://www.codeplex.com/ftps
info@pilotti.it

This is free software, you may use it under the terms of
the LGPL license <http://www.gnu.org/copyleft/lesser.html>

WARNING: SSL/TLS remote certificate name mismatch

Remote directory: /

08-19-12  09:59PM       <DIR>          007
08-19-12  09:42PM       <DIR>          New folder

Oct 3, 2013 at 1:34 AM
" A remote certificate chain error means that the certificate CN is ok, but the CA which issued the certificate is not trusted. The certificate you are using is a self signed certificate generated by FilZilla server.
Depending on the platform you are using (.Net framework on Windows...you could add the CA certificate to the trusted CA store handled by the OS.

To ignore this warning, just add: -sslInvalidServerCertHandling Accept to the command line."

I'm in a similar situation. I've got filezilla with a cert on my win7 PC, from a trusted CA, but filezilla says my client is "not logged in". I then tried -sslInvalidServerCertHandling Accept without luck as well.

The error I get is: "ERROR: Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
.
Inner exception: System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)"

For reference, and to eliminate the issue of firewalls blocking a necessary port, the filezilla client connects successfully.

thanks!
Apr 2, 2014 at 12:36 PM
Edited Apr 2, 2014 at 12:42 PM
I had the same kind of issues.
Working with Filezilla or IIS or creating a certificate with openssl.
I allways had a chain error and couldn't figure out how was filled the sslPolicyErrors variable.

I decided to rewrite ValidateTestServerCertificate in the DLL FTPSClient to read directly the store certificate.
    public static bool ValidateTestServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        bool certOk = false;

        DateTime effectiveDate = Convert.ToDateTime(certificate.GetEffectiveDateString());
        DateTime expirationDate = Convert.ToDateTime(certificate.GetExpirationDateString());

        if (effectiveDate.CompareTo(System.DateTime.UtcNow) < 0 && expirationDate.CompareTo(System.DateTime.UtcNow) > 0)
        {
            X509Store store = new X509Store(StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);

            for (int i = 0; i < store.Certificates.Count; i++)
            {
                X509Certificate2 certCollection = store.Certificates[i];
                if (certCollection.Equals(certificate)) certOk = true;
            }
        }
        return certOk;
    }
In my program, I call it this way :
   client.Connect(...,new RemoteCertificateValidationCallback(FTPSClient.ValidateTestServerCertificate),...);
So far, it seems to work.
Alex, any other major checks I coud had to my tests ?
Thanks

Hope this helps.
Cheers
Nicolas