Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

gregb

Ah, that makes sense. Thank you for taking the time to reply, Martin!
martin

Re: winscp.log attached

Your log files shows that the certificate is signed with a trusted authority, so the -certificate switch is not needed.


. 2020-06-29 08:51:34.074 Certificate verified against Windows certificate store
gregb

winscp.log attached

Hi Martin,
Log file attached. I was able to successfully connect with:
-certificate=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa

Greg
Guest

looks good. I use this sytem too
martin

Re: -certificate switch?

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, use /log=C:\path\to\winscp.log command-line argument. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.
gregb

-certificate switch?

WinSCP 5.17.3

WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.

Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"31:a0:0f:ff:69:cc:9b:d5:10:df:98:36:b8:74:a5:9b:62:27:b1:87"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"

batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound




Invalid Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"

batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound



No Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"

batch           abort     
confirm         off       
include         |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D---------   0                           0              ..
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  inbound
Drwxrwxr-x   0 USERNAME  FTP            256 Jun 15 2014  outbound

PS C:\Windows> exit


Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.

Has something changed over time that I've missed in the release notes?

Graciously,
Greg