Expired Server Certificate - Can't Check the Trust Boxes

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
gacekssj4
500 Syntax error
Posts: 16
Joined: 2014-02-10 14:11

Re: Expired Server Certificate - Can't Check the Trust Boxes

#16 Post by gacekssj4 » 2019-12-30 22:36

Topic may not be new, but first of all, it may not be always possible to get certificate upgraded, so that means clicking alot.

Secondly, I think it is users who should decide if certificate is trusted or not... i think there should be option to allow to trust expired certificates. No need for parenting here I think.

Third, and last: :arrow: You can bypass this problem by setting PC date back to where Certificate was valid. Then you can accept certificate and download stuff without problems.

oceanor
500 Command not understood
Posts: 1
Joined: 2020-03-14 10:06
First name: Federico
Last name: Fallico

Re: Expired Server Certificate - Can't Check the Trust Boxes

#17 Post by oceanor » 2020-03-14 10:09

It's not always possible to have a trusted certificate on specified host.
A common situation is when you have a CDN behind your server, you have to use the direct IP address of the server to use FTP, and IP-certificates are not for free (not even cheap).
Happy clicking then.

Vodkaneat
500 Command not understood
Posts: 1
Joined: 2020-04-14 10:58
First name: Vodka
Last name: Neat

Re: Expired Server Certificate - Can't Check the Trust Boxes

#18 Post by Vodkaneat » 2020-04-14 11:25

I'll also chip in on this as I've the same issue.

A large transfer queue will repeatedly ask me to verify an expired certificate, which makes unattended transfers impossible. Is it at least possible to get this changed so I'm only asked once per host/ transfer queue?

It's not realistic to ask any host you connect to "fix their certificate". Of course they should, but as a user that's really not your call. I feel a similar way about an ftp client, it's there to facilitate the operation, why is it making this difficult? If I wanted to validate a host I'd use a security suite, not an ftp client.

Sadly, this issue is forcing me to use different software, which is a shame after so many years of use. To be honest I appreciate the response, but don't really understand it.

User avatar
botg
Site Admin
Posts: 33128
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Expired Server Certificate - Can't Check the Trust Boxes

#19 Post by botg » 2020-04-15 07:53

If it concerns security, ease of use has to take the back seat.

occicat
500 Command not understood
Posts: 1
Joined: 2020-05-08 12:51

Re: Expired Server Certificate - Can't Check the Trust Boxes

#20 Post by occicat » 2020-05-08 12:56

Sadly I am here because of this certificate issue as well. I spent some time explaining this issue to my hosting provider who seems to think that their cert is fine, while FileZilla says it isn't.

<Removed>

According to my hosting provider, it's acceptable to have to click ok for each file transfer to and from their server with filezilla. The option to accept the cert in filezilla is of course not selectable and as one could imagine, this process will get old very fast. That or I could buy a non-shared server since they have one cert for multiples and that is causing the issue they said?

It seems neither party wants to own up to the fact that this is an issue and should be resolved. Been using FileZilla for over 10 years now, never ran into an issue like this before.
Last edited by boco on 2020-05-08 14:27, edited 1 time in total.
Reason: Removed possible advertising.

User avatar
boco
Contributor
Posts: 25259
Joined: 2006-05-01 03:28
Location: Germany

Re: Expired Server Certificate - Can't Check the Trust Boxes

#21 Post by boco » 2020-05-08 14:30

The situation is very clear, though: A certificate that is expired is not valid any longer. Non-valid certificates must not be trusted permanently. So, your certificate issuer sold you an expired certificate? Because that's the subject of the topic at hand.

If the certificate (chain) is valid, you can check the box fine.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

reitzensteinm
500 Command not understood
Posts: 1
Joined: 2020-06-04 06:53

Re: Expired Server Certificate - Can't Check the Trust Boxes

#22 Post by reitzensteinm » 2020-06-04 07:03

If it concerns security, ease of use has to take the back seat.
Then why allow connecting to servers with expired certificates at all?

If you're going to allow it, keeping the user's consent across the session makes sense. Or not allowing it at all makes sense too. But what's in there right now is a weird middle ground that's both insecure and not user friendly.

User avatar
boco
Contributor
Posts: 25259
Joined: 2006-05-01 03:28
Location: Germany

Re: Expired Server Certificate - Can't Check the Trust Boxes

#23 Post by boco » 2020-06-04 17:03

@botg: Would it be possible to have a grace period (let's say, 30 days additional time for hosts to update) after the certificate has expired. In this time, warnings and certificate saved for session only. If the certificate is expired for longer, grey out the boxes. A yes, expired root certificates in cert chains should, of course, be deemed invalid, immediately.

Certificates that have just expired are no big danger. The danger is with the long expired or otherwise invalid/revoked ones.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply