FileZilla Forums

Welcome to the official discussion forums for FileZilla
Donate to project
It is currently 2015-02-27 00:26

All times are UTC




Post new topic  Reply to topic  [ 10 posts ] 
Author Message
PostPosted: 2009-02-09 03:44 
Offline
500 Command not understood

Joined: 2009-02-09 03:24
Posts: 2
Hello,
I am not new to computers, but brand new to FTP servers.
I have been able to setup my FTP server to use SSL/TLS and everything is peachy.
My only issue (albeit a small one) is that when I connect the first time using FireFTP, it gives me the following warning message:
Quote:
[ip address] uses an invalid security certificate.

- The certificate is only valid for [Name].
- The certificate does not come from a trusted source.

This could be a problem with the server's configuration,
or it could be someone trying to impersonate the server.

If you have connected to this server successfully in the past,
the error may be temporary, and you can try again later.

Now, I can click Add Exception and it'll work. But I was just wondering if there was a way to set up my certificate so that it doesn't show that error message. Is it possible? Is that what certificate authorities are for? Is it possible for a "self-signed certificate" (if I understand cryptographic terminology properly) to be valid/secure so as to suppress the warning?


Top
   
PostPosted: 2009-02-09 08:32 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24672
First name: Tim
Last name: Kosse
Yes, not really and not really.

CAs only purpose is to get your money. All nice and shiny, but why should I trust some certificate only because some CA trusts it? Unless I have personally reviewed that particular CA in detail and in person, I don't trust it.

Self-signed certificates are actually more secure than certificates signed by a CA. If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate. Then I do know the certificate is legit.
Browsers manufacturers on the other hand seem to get payed money by the CAs so that their root certificates get included.

They even invent some special certificate classes once in a while that get sold for 100 times the price which can make the browser's address bar change color. They are only interested in profits, not actual security.


Top
   
PostPosted: 2009-02-09 14:54 
Offline
500 Command not understood

Joined: 2009-02-09 03:24
Posts: 2
Cool! Thanks for the explanation.


Top
   
PostPosted: 2009-02-09 19:25 
Online
Contributor
User avatar

Joined: 2006-05-01 03:28
Posts: 21089
Location: Germany
Knowing http://www.cacert.org/ yet? They're giving out free certs.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
   
PostPosted: 2009-02-09 22:17 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24672
First name: Tim
Last name: Kosse
And no browser has them included for various dubious reasons. The truth is that CAcert does not have the money to pay browser vendors for inclusion.


Top
   
PostPosted: 2009-03-26 19:47 
Offline
500 Command not understood

Joined: 2009-03-26 19:41
Posts: 1
First name: John
Last name: Hamborg
i started having troubles viewing my Linksys router after i created a security cert. for my newly created filezilla FTP server. I began a search to solve this issue. so i could access my Router again.

Code:
Secure Connection Failed


An error occurred during a connection to 192.168.1.1.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem.


I found this post on geting a certificate from cacert.org... only to get this error LOL... I blame firefox...

Code:
Secure Connection Failed
       

www.cacert.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)


    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

          Or you can add an exception…



Goddamnit...


Top
   
PostPosted: 2009-04-08 19:07 
Offline
500 Command not understood

Joined: 2006-12-12 18:47
Posts: 3
Yeah,

Yet ANOTHER example of filthy rich, greedy corporate American CEO's and their trusty equally greedy lawyers strangling the little guy to make sure that every dime goes in the THEIR pockets.

God forbid we could get a FREE certificate. (or the cure for cancer be released) OH NO!

Too much M-O-N-E-Y to be made.

Is it any wonder this Country is on the fast path to Hell?


Top
   
PostPosted: 2009-04-08 22:59 
Offline
504 Command not implemented

Joined: 2009-04-03 05:38
Posts: 10
botg wrote:
If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate.


Q1. When a certificate has been created with FileZilla server, how can I check its fingerprint (XP Pro here)? I can do that locally using the client and clicking the lock, but I don't know how to view the certificate.crt file's information otherwise.

Q2. The MD5 and SHA-1 retrun different values when I check my certificat.crt file from the OS, and the MD5 and SHA-1 displayed on the certificate GUI when I open it in the client (also FZ). Can they be different values?

Q3. When creating a certificate, the Private key file and the certificate file are both contained in the certificate.crt file. I don't understand the function/purpose of the key password (in the SSL/TLS settings) and when do I need it.

Thanks


Top
   
PostPosted: 2009-04-09 06:51 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24672
First name: Tim
Last name: Kosse
1) Certificate management tools like the commandline openssl tool
2) The signature hashes are over the raw certificate, if you hash the file you also hash headers and the base64 encoding.
3) Certificates created with a password outside of FZS.


Top
   
PostPosted: 2009-04-09 09:41 
Offline
504 Command not implemented

Joined: 2009-04-03 05:38
Posts: 10
botg wrote:
1) Certificate management tools like the commandline openssl tool

Is there a GUI certificate management (link)? The MS certificate console is not compatible with .crt files

2 & 3 thanks

Edit: the openssl documentation is interesting but a little head of my level of understanding. The easiest way I found to find the cert. fingerprint is to open it in the FZ client and to copy it, or take a print screen.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 10 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited