unsorted certificate chain

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Craigm1
500 Command not understood
Posts: 4
Joined: 2021-06-08 21:38
First name: Craig

unsorted certificate chain

#1 Post by Craigm1 » 2021-06-08 22:06

Question about FTPs. For the most part ours works great, except for this error during the connection "Server sent unsorted certificate chain in violation of the TLS specification" - This error does not prevent any client functionality, but it is red and scary! ;)

I've done my reading on these forums, using SSLshopper certificate, the chain checks out fine. Given that the chain checks out, i'm unsure how to proceed in correcting that errors?

it's a wildcard cert btw, if that matters. Also self-hosting our FTP

Names Obfuscated in screenshot intentionally
cert.png
cert.png (104.99 KiB) Viewed 511 times

User avatar
botg
Site Admin
Posts: 33586
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: unsorted certificate chain

#2 Post by botg » 2021-06-09 06:39

How did you check that the chain checks out fine?

Note that you must check explicitly against the FTP server. HTTP servers and FTP servers are different programs with independent configurations. Even if the certificates are correctly configured in one, it says nothing about the other.

Craigm1
500 Command not understood
Posts: 4
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#3 Post by Craigm1 » 2021-06-09 12:04

Thank you for the reply.

I checked it out by pointing the SSLshopper to the FTP server on port 990. When i compare the results from the SSLShopper link to the certs in the PEM file, they match in order from top to bottom. so i assumed the results where correct.

This is the link with my domain removed, i could PM it unedited.
https://www.sslshopper.com/ssl-checker. ... n>.com:990

This is the chain result that comes from the SSLShopper cert chain checker. in text form. I attached a screenshot in my first post

Common name: *.<redacted>.com
SANs: *.<redacted>.com, <redacted>.com
Valid from September 1, 2020 to September 5, 2021
Serial Number: 9<removed>7
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Secure Certificate Authority - G2

Organization: Starfield Technologies, Inc. Org. Unit: Starfield Class 2 Certification Authority
Location: US
Valid from June 29, 2004 to June 29, 2034
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Root Certificate Authority - G2
Organization: Starfield Technologies, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 3740804 (0x391484)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: http://certs.starfieldtech.com/repository/
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Root Certificate Authority - G2
Last edited by Craigm1 on 2021-06-09 13:25, edited 1 time in total.

Craigm1
500 Command not understood
Posts: 4
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#4 Post by Craigm1 » 2021-06-09 12:07

I just realized in my PEM file, the first entry is

----BEGIN PRIVATE KEY-----
<a private key>
---- END PRIVATE KEY-----

and then beneath that private key the cert chain starts.. isn't that wrong, my private key is in a .KEY file?

User avatar
boco
Contributor
Posts: 25599
Joined: 2006-05-01 03:28
Location: Germany

Re: unsorted certificate chain

#5 Post by boco » 2021-06-09 12:38

Both key and cert CAN be in the same file, that's what FileZilla Server does with its self-signed stuff, IIRC.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Craigm1
500 Command not understood
Posts: 4
Joined: 2021-06-08 21:38
First name: Craig

Re: unsorted certificate chain

#6 Post by Craigm1 » 2021-06-10 20:02

Oh good, i was afraid for a sec that the private key was at risk because i had it misconfigured...

User avatar
botg
Site Admin
Posts: 33586
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: unsorted certificate chain

#7 Post by botg » 2021-06-11 07:32

The certificate blocks in the file need to be ordered from the server certificate to root.

Looking at your chain, the issuer string listed on your server certificate is not found in the certificate that follows it immediately. I have my doubts as to the quality of the chain checker you used.

Edit: I ran a quick test with an intentionally mismatched chain. That chain checker you used is definitely broken.
rofl.png
rofl.png (91.35 KiB) Viewed 453 times

Post Reply