Incessant certificate warnings :: Support Forum

Pointyears Guest

Incessant certificate warnings

2025-06-13 22:46

We use WinSCP Portable (of varying versions) to connect to an AWS GovCloud S3 bucket via DoD devices. Initial connection goes fine, but after a variable number of operations (usually file copies) an alert appears for an untrusted connection. The certificate issuer is DHA (Defense Health) which means it's part of DHA's "man in the middle" packet inspection. The problem is selecting "yes" to continue and store the certificate does nothing other than putting the fingerprint in the winscp.ini file. There's just an endless series of those alerts in no discernable pattern which essentially makes WinSCP useless for us.

I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .NET code). -certificate * looked promising in the .ini (to be narrowed down if that worked), but made no difference, nor did I find anything applicable or germane in the Raw Settings for that session.
Any way out of this? This has put us at a bit of a standstill. Thanks!

I ran the log in debug and below is all that it had re certificates.

. 2025-06-13 16:05:58.130 Doing SSL negotiation.
. 2025-06-13 16:05:58.280 ssl: Verify callback @ 2 => 20
. 2025-06-13 16:05:58.280 ssl: Verify failures |= 8 => 8
. 2025-06-13 16:05:58.295 Chain depth: 3
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 Identity match for 's3.us-gov-west-1.amazonaws.com': good
. 2025-06-13 16:05:58.295 Verifying certificate for "*.s3-us-gov-west-1.amazonaws.com" with fingerprint 4e:80:b7:a9:31:3f:4d:55:ee:7e:fb:f8:85:a6:e0:e7:09:a5:9c:2f:26:ed:c7:2f:c7:54:8d:c6:8d:ff:e7:7b and 08 failures
. 2025-06-13 16:05:58.418 Certificate verified against Windows certificate store

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,146
Location:: Prague, Czechia

Re: Incessant certificate warnings

2025-06-16

Please post an exact and complete message that you are getting.

Reply with quote

Pointyears
Joined:: 2025-06-16
Posts:: 5
Location:: Frederick, MD

Re: Incessant certificate warnings

2025-06-16 13:33

See enclosure please, Martin. Clicking "Yes" allows the file copy to go on for a random interval measured in seconds and then the alert presents itself again. Saying "Yes" does nothing...repeatedly; it's never added to the cert store or anywhere, but the fingerprint is added to the winscp.ini. It's hard to say when this problem started as we had a seasonal lull in which we weren't using S3.
Thanks for your attention to this.

winscp.jpg (66.46 KB)

Reply with quote

martin◆ Site Admin

Re: Incessant certificate warnings

2025-06-16

Please attach a full session log file (sorry, I should have asked for that before already).

Reply with quote

Pointyears
Joined:: 2025-06-16
Posts:: 5
Location:: Frederick, MD

Re: Incessant certificate warnings

2025-06-16 17:27

Enclosed. Thanks.

loglevel1.txt (968.36 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,146
Location:: Prague, Czechia

Re: Incessant certificate warnings

2025-06-19

The verification fails due to:

The revocation function was unable to check revocation because the revocation server was offline

It seems like some temporary network outage or lag.

Reply with quote

Pointyears

Re: Incessant certificate warnings

2025-06-19 15:35

But it seems to me that the inability to accept that condition by selecting "Yes" to store the cert is a separate issue, no?

Reply with quote

martin◆ Site Admin

Re: Incessant certificate warnings

2025-06-23

I do not think it's not possible to "accept that condition".
The problem is that your server (AWS) is load balanced. So you are actually connecting to a different server with different certificate every time. So everytime WinSCP prompts you, it prompts for a different certificate.

Reply with quote

Pointyears

Re: Incessant certificate warnings

2025-06-23 13:25

Thanks, Martin. You've managed to confuse me more. I thought since it's a wildcard cert that's presented by AWS (*.s3-us-gov-west-1.amazonaws.com) to WinSCP with the same fingerprint that's both in that alert and in the winscp.ini that while it might be a different load balancer that WinSCP is talking through, the certificate is the same.
Thanks.

Reply with quote

Pointyears

Re: Incessant certificate warnings

2025-06-23 14:47

To be more thorough, I tried S3 Browser portable on both my Windows 11 laptop, and the Citrix server with no certificate issues whatsoever (SSL is forced in both the client app, and the S3 policy we have precludes port 80 non-ssl connections).

Reply with quote