Page 1 of 1

unsorted certificate chain

Posted: 2021-06-08 22:06
by Craigm1
Question about FTPs. For the most part ours works great, except for this error during the connection "Server sent unsorted certificate chain in violation of the TLS specification" - This error does not prevent any client functionality, but it is red and scary! ;)

I've done my reading on these forums, using SSLshopper certificate, the chain checks out fine. Given that the chain checks out, i'm unsure how to proceed in correcting that errors?

it's a wildcard cert btw, if that matters. Also self-hosting our FTP

Names Obfuscated in screenshot intentionally
cert.png
cert.png (104.99 KiB) Viewed 4203 times

Re: unsorted certificate chain

Posted: 2021-06-09 06:39
by botg
How did you check that the chain checks out fine?

Note that you must check explicitly against the FTP server. HTTP servers and FTP servers are different programs with independent configurations. Even if the certificates are correctly configured in one, it says nothing about the other.

Re: unsorted certificate chain

Posted: 2021-06-09 12:04
by Craigm1
Thank you for the reply.

I checked it out by pointing the SSLshopper to the FTP server on port 990. When i compare the results from the SSLShopper link to the certs in the PEM file, they match in order from top to bottom. so i assumed the results where correct.

This is the link with my domain removed, i could PM it unedited.
https://www.sslshopper.com/ssl-checker.html#hostname=<host>.<domain>.com:990

This is the chain result that comes from the SSLShopper cert chain checker. in text form. I attached a screenshot in my first post

Common name: *.<redacted>.com
SANs: *.<redacted>.com, <redacted>.com
Valid from September 1, 2020 to September 5, 2021
Serial Number: 9<removed>7
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Secure Certificate Authority - G2

Organization: Starfield Technologies, Inc. Org. Unit: Starfield Class 2 Certification Authority
Location: US
Valid from June 29, 2004 to June 29, 2034
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Root Certificate Authority - G2
Organization: Starfield Technologies, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 3740804 (0x391484)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Technologies, Inc.

Common name: Starfield Secure Certificate Authority - G2
Organization: Starfield Technologies, Inc. Org. Unit: http://certs.starfieldtech.com/repository/
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Starfield Root Certificate Authority - G2

Re: unsorted certificate chain

Posted: 2021-06-09 12:07
by Craigm1
I just realized in my PEM file, the first entry is

----BEGIN PRIVATE KEY-----
<a private key>
---- END PRIVATE KEY-----

and then beneath that private key the cert chain starts.. isn't that wrong, my private key is in a .KEY file?

Re: unsorted certificate chain

Posted: 2021-06-09 12:38
by boco
Both key and cert CAN be in the same file, that's what FileZilla Server does with its self-signed stuff, IIRC.

Re: unsorted certificate chain

Posted: 2021-06-10 20:02
by Craigm1
Oh good, i was afraid for a sec that the private key was at risk because i had it misconfigured...

Re: unsorted certificate chain

Posted: 2021-06-11 07:32
by botg
The certificate blocks in the file need to be ordered from the server certificate to root.

Looking at your chain, the issuer string listed on your server certificate is not found in the certificate that follows it immediately. I have my doubts as to the quality of the chain checker you used.

Edit: I ran a quick test with an intentionally mismatched chain. That chain checker you used is definitely broken.
rofl.png
rofl.png (91.35 KiB) Viewed 4145 times

Re: unsorted certificate chain

Posted: 2021-09-01 18:05
by jstech012
I have connected to this site using OPenSSL:
removed domain name<mydomain>.com
Here is result. Can you assist deciphering this?

depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.<mydomain>.com
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2

Re: unsorted certificate chain

Posted: 2021-09-02 08:31
by botg
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
The chain needs to be sorted. Following an issuer line (starting with i:) there must be a matching subject line (starting with s: after the certificate number).

Had the server sent a properly sorted chain, it would look something like this:
Certificate chain
0 s:OU = Domain Control Validated, CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

Re: unsorted certificate chain

Posted: 2021-09-02 11:36
by jstech012
Thanks for all of your help and explanation.

Is there a way I can manipulate this myself using OpenSSL? I am extracting the PEM and KEY from a .pfx in OpenSSL.
Or is this cert just malformed when we purchase it?

Re: unsorted certificate chain

Posted: 2021-09-03 07:31
by botg
If it's a PEM containing multiple certs, you can simply reorder the certificate blocks in any text editor.

Re: unsorted certificate chain

Posted: 2021-11-07 14:54
by jstech012
Hello Botg;
Just wanted to say thanks again for all of your assistance. I was delayed in resolving this issue, but finally got back around to it.
Resorted the cert blocks as you suggested, and viola!
0 s:CN = *.<mydomain>.com
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
2 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
3 s:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

no more ugly red unsorted chain error!

Appreciate your patience and kind help!