-certificate switch?
WinSCP 5.17.3
WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.
Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
Invalid Certificate
No Certificate
Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.
Has something changed over time that I've missed in the release notes?
Graciously,
Greg
WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.
Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"31:a0:0f:ff:69:cc:9b:d5:10:df:98:36:b8:74:a5:9b:62:27:b1:87"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`" batch abort confirm off include |*downloaded* Connecting to ftpsite.company.com:20021 ... TLS connection established. Waiting for welcome message... Connected Starting the session... Session started. Active session: [1] USERNAME@ftpsite.company.com d:\abc D--------- 0 0 .. Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound
Invalid Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`" batch abort confirm off include |*downloaded* Connecting to ftpsite.company.com:20021 ... TLS connection established. Waiting for welcome message... Connected Starting the session... Session started. Active session: [1] USERNAME@ftpsite.company.com d:\abc D--------- 0 0 .. Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound
No Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`" batch abort confirm off include |*downloaded* Connecting to ftpsite.company.com:20021 ... TLS connection established. Waiting for welcome message... Connected Starting the session... Session started. Active session: [1] USERNAME@ftpsite.company.com d:\abc D--------- 0 0 .. Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound PS C:\Windows> exit
Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.
Has something changed over time that I've missed in the release notes?
Graciously,
Greg
