Re: Incessant certificate warnings
While it's indeed a wildcard certificate, every certificate for every connection WinSCP has made seems to have a different fingerprint.
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- Pointyears
Re: Incessant certificate warnings
To be more thorough, I tried S3 Browser portable on both my Windows 11 laptop, and the Citrix server with no certificate issues whatsoever (SSL is forced in both the client app, and the S3 policy we have precludes port 80 non-ssl connections).
- Pointyears
Re: Incessant certificate warnings
Thanks, Martin. You've managed to confuse me more. I thought since it's a wildcard cert that's presented by AWS (
Thanks.
*.s3-us-gov-west-1.amazonaws.com) to WinSCP with the same fingerprint that's both in that alert and in the winscp.ini that while it might be a different load balancer that WinSCP is talking through, the certificate is the same.
Thanks.
- martin
Re: Incessant certificate warnings
I do not think it's not possible to "accept that condition".
The problem is that your server (AWS) is load balanced. So you are actually connecting to a different server with different certificate every time. So everytime WinSCP prompts you, it prompts for a different certificate.
The problem is that your server (AWS) is load balanced. So you are actually connecting to a different server with different certificate every time. So everytime WinSCP prompts you, it prompts for a different certificate.
- Pointyears
Re: Incessant certificate warnings
But it seems to me that the inability to accept that condition by selecting "Yes" to store the cert is a separate issue, no?
- martin
Re: Incessant certificate warnings
The verification fails due to:
It seems like some temporary network outage or lag.
The revocation function was unable to check revocation because the revocation server was offline
It seems like some temporary network outage or lag.
- Pointyears
Re: Incessant certificate warnings
Enclosed. Thanks.
- martin
Re: Incessant certificate warnings
Please attach a full session log file (sorry, I should have asked for that before already).
- Pointyears
Re: Incessant certificate warnings
See enclosure please, Martin. Clicking "Yes" allows the file copy to go on for a random interval measured in seconds and then the alert presents itself again. Saying "Yes" does nothing...repeatedly; it's never added to the cert store or anywhere, but the fingerprint is added to the winscp.ini. It's hard to say when this problem started as we had a seasonal lull in which we weren't using S3.
Thanks for your attention to this.
Thanks for your attention to this.
- martin
Re: Incessant certificate warnings
Please post an exact and complete message that you are getting.
- Pointyears
Incessant certificate warnings
We use WinSCP Portable (of varying versions) to connect to an AWS GovCloud S3 bucket via DoD devices. Initial connection goes fine, but after a variable number of operations (usually file copies) an alert appears for an untrusted connection. The certificate issuer is DHA (Defense Health) which means it's part of DHA's "man in the middle" packet inspection. The problem is selecting "yes" to continue and store the certificate does nothing other than putting the fingerprint in the winscp.ini file. There's just an endless series of those alerts in no discernable pattern which essentially makes WinSCP useless for us.
I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .NET code).
Any way out of this? This has put us at a bit of a standstill. Thanks!
I ran the log in debug and below is all that it had re certificates.
I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .NET code).
-certificate * looked promising in the .ini (to be narrowed down if that worked), but made no difference, nor did I find anything applicable or germane in the Raw Settings for that session.
Any way out of this? This has put us at a bit of a standstill. Thanks!
I ran the log in debug and below is all that it had re certificates.
. 2025-06-13 16:05:58.130 Doing SSL negotiation.
. 2025-06-13 16:05:58.280 ssl: Verify callback @ 2 => 20
. 2025-06-13 16:05:58.280 ssl: Verify failures |= 8 => 8
. 2025-06-13 16:05:58.295 Chain depth: 3
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 Identity match for 's3.us-gov-west-1.amazonaws.com': good
. 2025-06-13 16:05:58.295 Verifying certificate for "*.s3-us-gov-west-1.amazonaws.com" with fingerprint 4e:80:b7:a9:31:3f:4d:55:ee:7e:fb:f8:85:a6:e0:e7:09:a5:9c:2f:26:ed:c7:2f:c7:54:8d:c6:8d:ff:e7:7b and 08 failures
. 2025-06-13 16:05:58.418 Certificate verified against Windows certificate store