Expired Server Certificate - Can't Check the Trust Boxes

[gacekssj4]

Topic may not be new, but first of all, it may not be always possible to get certificate upgraded, so that means clicking alot.

Secondly, I think it is users who should decide if certificate is trusted or not... i think there should be option to allow to trust expired certificates. No need for parenting here I think.

Third, and last: You can bypass this problem by setting PC date back to where Certificate was valid. Then you can accept certificate and download stuff without problems.

[oceanor]

It's not always possible to have a trusted certificate on specified host.
A common situation is when you have a CDN behind your server, you have to use the direct IP address of the server to use FTP, and IP-certificates are not for free (not even cheap).
Happy clicking then.

[Vodkaneat]

I'll also chip in on this as I've the same issue.

A large transfer queue will repeatedly ask me to verify an expired certificate, which makes unattended transfers impossible. Is it at least possible to get this changed so I'm only asked once per host/ transfer queue?

It's not realistic to ask any host you connect to "fix their certificate". Of course they should, but as a user that's really not your call. I feel a similar way about an ftp client, it's there to facilitate the operation, why is it making this difficult? If I wanted to validate a host I'd use a security suite, not an ftp client.

Sadly, this issue is forcing me to use different software, which is a shame after so many years of use. To be honest I appreciate the response, but don't really understand it.

[botg]

If it concerns security, ease of use has to take the back seat.

[occicat]

Sadly I am here because of this certificate issue as well. I spent some time explaining this issue to my hosting provider who seems to think that their cert is fine, while FileZilla says it isn't.

<Removed>

According to my hosting provider, it's acceptable to have to click ok for each file transfer to and from their server with filezilla. The option to accept the cert in filezilla is of course not selectable and as one could imagine, this process will get old very fast. That or I could buy a non-shared server since they have one cert for multiples and that is causing the issue they said?

It seems neither party wants to own up to the fact that this is an issue and should be resolved. Been using FileZilla for over 10 years now, never ran into an issue like this before.

[boco]

The situation is very clear, though: A certificate that is expired is not valid any longer. Non-valid certificates must not be trusted permanently. So, your certificate issuer sold you an expired certificate? Because that's the subject of the topic at hand.

If the certificate (chain) is valid, you can check the box fine.

[reitzensteinm]

If it concerns security, ease of use has to take the back seat.

Then why allow connecting to servers with expired certificates at all?

If you're going to allow it, keeping the user's consent across the session makes sense. Or not allowing it at all makes sense too. But what's in there right now is a weird middle ground that's both insecure and not user friendly.

[boco]

@botg: Would it be possible to have a grace period (let's say, 30 days additional time for hosts to update) after the certificate has expired. In this time, warnings and certificate saved for session only. If the certificate is expired for longer, grey out the boxes. A yes, expired root certificates in cert chains should, of course, be deemed invalid, immediately.

Certificates that have just expired are no big danger. The danger is with the long expired or otherwise invalid/revoked ones.