filezilla client certificate store support

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply

who wants the certificate validation done using a certificate store?

Total votes: 2

500 Command not understood
Posts: 1
Joined: 2014-05-05 20:03
First name: Carl

filezilla client certificate store support

#1 Post by carlatpg » 2014-05-05 22:55

I've read on various posts that the filezilla client does not have any kind of certificate store support for validating signed tls certificates. I must ask WHY?!?!

The excuse that you're supposed to validate the certificate yourself is a BS answer. We have this chain certificate validation setup for a reason. And considering that every email client and web browser client does this for us, I don't see why the filezilla client doesn't support this.

Even if in the settings for the filezilla client to allow me to point to a pem file where all the major trusted certificate authorities exist would be an improvement. I got one from here:

I can add my own certificate authority to this pem file as well if I wanted so that I wouldn't have to go through an official certificate authority. Or I could just put my own certificate authority only in this file. But either way, I would then know if the certificate chain was valid.

Here is what I had to do to validate it myself:

1. Downloaded cacert.pem
# wget
2. Using openssl, I verified the certificate chain was complete
# openssl s_client -CAfile cacert.pem -connect host:990
3. I then checked the output and copy and pasted into a file named cert.pem the first set of lines:
4. Then I generated the sha1 value of it
# openssl x509 -in cert.pem -sha1 -noout -fingerprint
5. The sha1 value I got, I then compared to what filezilla was showing me. It was 40 digits long though!
6. Once it matched, then I knew I could accept it.

Now this should NOT be required. It should be doing a certificate chain validation and only when it doesn't match, should I be warned about it. I shouldn't be asked when I know it's a valid certificate.

So my question is this, when is this going to be implemented? And if you don't plan on implementing this, I'm sure someone here would love to fork off your project just so this useful and valid feature can be implemented.

Post Reply