Server Certificate rejected by Chain Verifier message

[meme]

Hello,

The Filezilla FTP server is onfigured for SSL/Explicit. I've used Filezilla generate private certificate function. However when I try to connect to the server using Tibco the following message appears ''a Server Certificate rejected by Chain Verifier message'.

Is there another file generated for private ssl apart from certifcate.crt. Does filezilla generate a CA Root certificate too?


Meme

[botg]

FileZilla Server generates self-signed certificates.

[meme]

Hello,

How many self-signed certificates does Filezilla generate?

Should there be one file for the Private key and another file for the Certificate?

regards,
meme

[botg]

How many self-signed certificates does Filezilla generate?

Should there be one file for the Private key and another file for the Certificate?

The certificate _IS_ the self-signed certificate.

[meme]

Oh okay -

I take that the private key is also the certifcate too?

Am I correct in thinking that Filezilla SSL certificate function only generates one file?

To establish an SSL/explicit connection is there is no need to import the certicate to the computer that the FTP client is on?

Has anyone hot any idea why the Tibco FTP client is diaplying this message "Server Certificate rejected by Chain Verifier message"

regards,
meme

[botg]

To establish an SSL/explicit connection is there is no need to import the certicate to the computer that the FTP client is on?

The full certificate is always presented to the client during the connection handshake.

Has anyone hot any idea why the Tibco FTP client is diaplying this message "Server Certificate rejected by Chain Verifier message

Very bad client I'd say.

[redleg]

meme, the certificate FZs generates for SSL/TLS encrypted sessions is complete as a self-signed cert and works just fine. Some clients (like your tibco) look for certificates with a full chain (3 person chain, top, intermediate and server) like a trust pyramid, with the top level being most trusted and actually a part of certificate stores in the OS and certain programs. full certs (3 level) are all very useful in authentication and verifying the server is trusted (by someone who got paid big money), but really has nothing to do with the value of the encryption itself and it should be an option presented by the client if the user desires to trust the self-signed cert or not. My email client does this, foolishly rejects self-signed certs as not valid and refuses to initiate TLS session unless I do a per connection approval or over ride it altogether by importing the self-signed certs into the OS trusted store..

Anyways, I think you have a couple options here- either import the certificate into the trusted store of the client or the OS of the system you are running the client from. or, and maybe easier, get a client that doesn't try to make decisions like this silently instead of seeking your approval.. like FileZilla client...

[meme]

Thank you redleg for your informative reply

I'm not familiar with Tibco, but I'm told that it must be used. I've been successful when it comes to establishing the SSL/explcit connection using smartFTP and Filezilla FTP. Although when I use Filezilla FTP 3 - A tls shutdown connection message appears?

Thank you for confirming that the FZs generates a complete private certifcate. I was expecting it to also generate a private/public key too.
So I take it that the private SSL certicate is not a full cert.


How would can I go about importing the .crt into the OS structed store?
Is it posible for OpenSSL to generate a full cert? Or must you have for the privelge to buy a full cert?

regards,
meme

[redleg]

yvw, I'm glad it helped some, being inflicted with the gift of gab tends to muddy things up or put folks to sleep at times...

ok, I don't know anything about tibco either, that sucks that it must be used but doesn't work for an rfc compliant server (like FZs)... Is this the ftp client you must use at work? (assuming you are connecting to FZs at home or elsewhere?) can you run "portable" programs from a thumbdrive without violating any rule and policies at work or location you are restricted to using tibco? if you can use portable apps, FZc is portable (portableapps.com has a nice package for it too) ;D

as for the FZc and the TLS shutdown connection message, hmmm, do you have the server or client logs showing that?

as for FZs generating a "complete private certificate", well sort of, it generates a complete self-signed certificate for your server. meaning, i nthis case, the same file that ends in .crt holds both your public and private key pair. If you open it with a text editor you should see the two parts there looking like this:
-----BEGIN RSA PRIVATE KEY-----
(lots of random looking characters here)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(lots of random looking characters here)
-----END CERTIFICATE-----

if you have access to the FZs generated .crt you can make a copy of it, open with a text editor and delete the private key (everything between begin and end RSA private key, including all ---, but leave --- and begin/end certificate lines alone!)

now save that as "something.crt" and go to client to import the certificate. If the client does not have a trusted storage then you may be able to right click on the .crt and use the "install certificate" function from the file right click menu to get it installed into the OS trusted stores (assuming OS is windows, others I do not know how to do this)..

As for OpenSSL generating, yes, it certainly can.. lol, not the easiest thing in the word to do for cmdline challenged folks like me- but there are many helpful tools and batch files out there to assist. Basically it depends on the policy of the client used (FTP, browser, mail, etc) or the OS enforces. If your client will take certs generated and signed by unrecognized certificate authorities (CA) then you may be good, if not you may have to pay for one (can be quite expensive) from thawte, verisign, rapidssl, etc...

anyways, look at key manager toolbox addon for firefox browser, or check sourceforge.net for some wrappers or GUIs- I like XCA, http://sourceforge.net/projects/xca/ and the firefox toolbox. Another option to roll your own is batch files, this is an old dev from a friend of mine, PKI Toolkit they still work although may need editing to get what you want with modern OpenSSL files.

Hope some of this helps.

[meme]

Hello redleg,

Thanks for your help so far.
It is an FTP client that must be used.

I've tried to open the certifcate.crt using a text editor like notepad - however the following prompt window appears 'Invalid Public Key security Object File' This file is invalid for use as the following: Security Certifcate"

The certificate.crt filethat FZs generates is that also an self-signed root certifcate? I'm told that an intermeidate part of the chain is missing?
At the moment the certificate.crt file is being installed but not working.

Tibco does look for a full chain. With the .crt file generated by FZs how do I create the top, intermeiate and server certifcates?


regards,
meme

[botg]

The certificate.crt filethat FZs generates is that also an self-signed root certifcate?

Self-signed certificates are by definition root certificates.

I'm told that an intermeidate part of the chain is missing?

Intermediate certificates are not required. If your client needs one then your client is broken.

[meme]

Hello,

I believe that the reason why Tibco is showing the 'Server rejected by Chain verifier; message is down to the fact that the Public key within the .crt file is Invalid.

For some reason I am unable to open the certificate.crt file generated by FZs and view the Public/Private keys within the file. The following window apears each time I try to open the file: 'Invalid Public Key Security Object File' This file is invalid for use as the following: Security certifcate/

Any ideas why this certifcate is invalid.

regards,
meme

[redleg]

The cert is valid, MS doesn't think so. open notepad.exe and drag/drop the .crt file onto it. edit out the part I mentioned earlier and save with a new name .crt

right click on that new file and select install, then instal to trusted. try again with client. if it still fails, talk with client sysadmin and get permission to use portable apps (get it in writing). or try the three zip files I pointed to and roll yer own, making it MS compliant.

[meme]

Thanks redleg,

Opening the file in notepad.exe worked a treat.

This is the log for the 424 can't open data connection. I'm using SmartFTP same happens with Filezilla client.
Yet at home I can connect with no problem - am I'm using smartFTP. On the Filezilla FTP server port 55450 to 55500 have been opended for passive mode.

Code: Select all

[14:53:20] SmartFTP v3.0.1035.0
[14:53:21] Resolving host name "11.111.11.1"
[14:53:22] Connecting to 11.111.11.1 Port: 55450
[14:53:22] Connected to 11.111.11.1.
[14:53:22] 220-FileZilla Server version 0.9.32 beta
[14:53:22] 220-
[14:53:22] 220 FTPS
[14:53:22] AUTH TLS
[14:53:22] 234 Using authentication type TLS
[14:53:22] Connected. Exchanging encryption keys...
[14:53:22] Session Cipher: 128 bit RC4
[14:53:23] TLS encrypted session established.
[14:53:23] Command channel protection set to Private.
[14:53:23] PBSZ 0
[14:53:23] 200 PBSZ=0
[14:53:23] USER meme
[14:53:23] 331 Password required for meme
[14:53:23] PASS (hidden)
[14:53:23] 230 Logged on
[14:53:23] SYST
[14:53:23] 215 UNIX emulated by FileZilla
[14:53:23] Detected Server Type: UNIX
[14:53:23] RTT: 9.997 ms
[14:53:23] FEAT
[14:53:23] 211-Features:
[14:53:23]  MDTM
[14:53:23]  REST STREAM
[14:53:23]  SIZE
[14:53:23]  MLST type*;size*;modify*;
[14:53:23]  MLSD
[14:53:24]  AUTH SSL
[14:53:24]  AUTH TLS
[14:53:24]  UTF8
[14:53:24]  CLNT
[14:53:24]  MFMT
[14:53:24] 211 End
[14:53:24] CLNT SmartFTP 3.0.1035.0
[14:53:24] 200 Don't care
[14:53:24] OPTS UTF8 ON
[14:53:24] 200 UTF8 mode enabled
[14:53:24] PWD
[14:53:24] 257 "/" is current directory.
[14:53:24] TYPE A
[14:53:24] 200 Type set to A
[14:53:24] PROT P
[14:53:24] 200 Protection level set to P
[14:53:24] PASV
[14:53:24] 227 Entering Passive Mode (11,111,11,1,216,185)
[14:53:24] Opening data connection to 11.111.11.1 Port: 55481
[14:53:24] MLSD
[14:53:35] 425 Can't open data connection.
[14:53:35] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".
[14:53:35] PORT 10,10,20,163,7,103
[14:53:35] 200 Port command successful
[14:53:35] MLSD
[14:53:35] 150 Opening data channel for directory list.
[14:53:46] 425 Can't open data connection.
[14:54:16] NOOP
[14:54:16] 200 OK
[14:54:46] NOOP
[14:54:47] 200 OK
[14:55:17] NOOP
[14:55:17] 200 OK
[14:55:47] NOOP
[14:55:47] 200 OK
[14:56:17] NOOP
[14:56:17] 200 OK
[14:56:29] PASV
[14:56:29] 227 Entering Passive Mode (11,111,11,1,216,186)
[14:56:29] Opening data connection to 11.111.11.1 Port: 55482
[14:56:29] MLSD
[14:56:39] 425 Can't open data connection.
[14:56:39] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".
[14:56:39] PORT 10,10,20,163,7,214
[14:56:39] 200 Port command successful
[14:56:39] MLSD
[14:56:39] 150 Opening data channel for directory list.
[14:56:50] 425 Can't open data connection.
[14:57:20] NOOP
[14:57:20] 200 OK
[14:57:50] NOOP

Disabling the firewall and connecting the server directly to the modem is not a viable option either.

regards,
meme

[botg]

Are you really using that IP address? If you have modified the log you have made the log useless.