Load Server Certificate in FTP over SSL

Question

How do these methods works:
com.enterprisedt.net.ftp.ssl.SSLFTPClient.getRootCertificateStore().SSLFTPCertificateStore.importPEMFile(InputStream)
com.enterprisedt.net.ftp.ssl.SSLFTPCLient.loadRootCertificates(InputStream).

I am new to FTP and SSL and cannot figure out how to use either of these methods.

As I understand,....
1. I need to install a server(root) certificate on the Server where my FTP server resides.
2. Get a copy of that root certificate on to the client where my java program is running.
3. the inputStream in the method above points to the certificate on the client.

The code is as follows:
ftpClient = new SSLFTPClient(remoteHost, 21, com.enterprisedt.net.ftp.ssl.SSLFTPClient.ConfigFlags.DISABLE_DATA_WAIT_ON_CLOSE);
((SSLFTPClient)ftpClient).loadRootCertificates(ftpRootCertificates);

Answer 1

Take a look at this section in the Developer's Guide:

http://www.enterprisedt.com/products/ed ... ction.html

Note that loadRootCertificates is deprecated and you should use getRootCertificateStore().importPEMFile(certFilename)

Some more specific info on server validation can be found here:

http://www.enterprisedt.com/products/ed ... parta.html

The InputStream methods are an alternative way of loading the certificate directly from a stream rather than from a file.

Answer 2

Thanks.
My Question now is - which File does this InputStream point to?
Is it the certificate file on the FTP Server or a copy of the certificate on the client where the java program is running?

Answer 3

A copy of the server certificate (or root certificate) on the client.

Answer 4

I exported the server certificate from the utility available in I.E. and am now pointing to that file through my program. But the following error is being thrown:
com.enterprisedt.net.ftp.ssl.SSLFTPCertificateException: Server certificate could not be validated. (use SSLFTPCertificateException.printCertificates to view certificates.)
at com.enterprisedt.net.ftp.ssl.B.F(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.auth(Unknown Source)
at com.taw.net.ftp.FTPClient.connect(FTPClient.java:111)
at com.taw.net.ftp.FTPClient.main(FTPClient.java:246)
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVow
XzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEBarsAx94
f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1Ol
hec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBAgUAA4GBALtMEivPLCYA
TxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59Ah
WM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2Omuf
Tqj/ZA1k
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFBy
aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1
OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNp
Z24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xh
c3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklM
SVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2IKA6NYZ
An0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLxveqXQu2aNAoV1Klc9UAl3dkHwTKydWzE
yruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1Oc
TzTnqwSye28CAwEAAaOB4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4
RQEHAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNVHSUE
LTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEIATALBgNVHQ8EBAMC
AQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNp
Z24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+
hurPajozq+qcBBQHNgYL+Yhv1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9e
n5IeDCSk9dBwE88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEejCCA+OgAwIBAgIQbwArNgRzAlwbWcJSQknk6TANBgkqhkiG9w0BAQUFADCBujEfMB0GA1UE
ChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNV
BAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNA
d3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBW
ZXJpU2lnbjAeFw0wNjEwMDUwMDAwMDBaFw0wNzEwMDUyMzU5NTlaMIG+MQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcUB0NoaWNhZ28xETAPBgNVBAoUCEFCTiBBbXJvMRcw
FQYDVQQLFA5EU00gRlRUIGVzczEyMTEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJp
c2lnbi5jb20vcnBhIChjKTAwMSkwJwYDVQQDFCBmdHAtZGV2bDMubGFzYWxsZS5uYS5hYm5hbXJv
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArYxJHdsowrf5yIvL+rfXv7BuRXFy+Lhj
SgKFvwOjelQKwPYCnZH7Qx9+/Cu4ziIcq241dvSsqFD1Xbsin465tnLUH216tc90eydqqyTaKB+t
0EcpnptNeFecQeBkmTCvt31tYavoWYVkDcCMHzKiR7T1dfZ/fuXU30VP2A4c960CAwEAAaOCAXkw
ggF1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwu
dmVyaXNpZ24uY29tL0NsYXNzM0ludGVybmF0aW9uYWxTZXJ2ZXIuY3JsMEQGA1UdIAQ9MDswOQYL
YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAo
BgNVHSUEITAfBglghkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcDAjA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBtBggrBgEFBQcBDARhMF+hXaBb
MFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAOBgQC6MgUQ
zkKghk+RapBMhqtB5sKrNkv1f3SgezxjI1KeqlKC6BfbZrmlx2Y2eaIKgwMDieO2HmYGsLz6KEsd
oMG+CaNZ8JKlm+l3D/HyotoON0Q/XAAtcohSPuLckffGJ6AmOutZlcrpN43r0gKD5iTnR7sdsUYH
JmdSnlfmm8fcpQ==
-----END CERTIFICATE-----

Answer 5

Please post the relevant section from the log file (see the Developer's Guide for help on logging).

Answer 6

Here is an excerpt of the log file:

DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:29:57.375 : Setting custom validator to com.enterprisedt.net.ftp.ssl.SSLFTPStandardValidator
DEBUG [com.taw.net.ftp.FTPClient] 16 Jan 2007 11:29:57.385 : Nirupma Sharma: Loading server certificate from C:\FTPS\ServerCertificate.cer
DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:29:57.405 : Loaded root certificates from C:\FTPS\ServerCertificate.cer
DEBUG [com.taw.net.ftp.FTPClient] 16 Jan 2007 11:29:57.405 : Nirupma Sharma: Connecting to server ftp-devl3.lasalle.na.abnamro.com
DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:29:57.405 : Created explicit FTPS client.
DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:29:57.405 : Connecting to ftp-devl3.lasalle.na.abnamro.com/10.211.110.159:21
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.505 : 220 usessrress121 FTP server (SecureTransport 4.5) ready.
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.505 : DISABLE_CONTROL_SSL_CLOSURE=true
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.505 : DISABLE_CONTROL_WAIT_ON_CLOSE=true
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.555 : ALLOW_BASIC_CONSTRAINTS_IN_NON_CA=false
DEBUG [com.taw.net.ftp.FTPClient] 16 Jan 2007 11:29:57.555 : Nirupma Sharma: Switching to FTPS (explicit mode)
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.555 : ---> AUTH TLS-C
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.585 : 334 SSLv23/TLSv1
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:29:57.585 : Starting SSL handshake on control socket
INFO [cryptix] 16 Jan 2007 11:29:57.636 : GLOBAL_TRACE=false
INFO [cryptix] 16 Jan 2007 11:29:57.636 : GLOBAL_DEBUG=false
INFO [cryptix] 16 Jan 2007 11:29:57.636 : GLOBAL_DEBUG_SLOW=false
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:30:04.505 : Caught: com.enterprisedt.net.puretls.cert.CertificateVerifyException
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:30:04.505 : Rethrowing as SSLFTPCertificateException
DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:30:04.505 : Forcing disconnect
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:30:04.505 : ---> QUIT
DEBUG [com.enterprisedt.net.ftp.FTPControlSocket] 16 Jan 2007 11:30:04.515 : !L
DEBUG [com.enterprisedt.net.ftp.ssl.SSLFTPClient] 16 Jan 2007 11:30:04.515 : Expected error during disconnect: L
DEBUG [com.taw.net.ftp.FTPClient] 16 Jan 2007 11:30:04.515 : Nirupma Sharma: -------FTPException reply code--------1

Answer 7

There is obviously some problem validating the server certificate but it isn't clear what it is.

If you could run your program and log some extra debug that will help - to do this provide this extra command line argument to java.exe:

-Dedtftp.log.puretls.level=65535

Also as you are trialing edtFTPj/PRO, please email support at enterprisedt dot com with the log file as we provide email support to all our trial users - you should get a faster response.

Answer 8

Please try to copy the certificates that you posted in the previous message into a text-file called something like "server-cert.pem" and then load that one using:

ftp.getRootCertificateStore().importPEMFile("server-cert.pem");

The certificates that I'm referring to are the ones starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----".

The first one is the root certificate (from VeriSign). The second one is also from VeriSign. The third one is the one issued to the ABN Amro. You can use OpenSSL to inspect the certificates as I have just done. The command is "openssl x506 -text -in server-cert.prm", which prints out info for the first one. You'll need to split file into 3 if you want to look at each separately.

These are the actual certificates presented by the server. We sometimes find that the certificate that the user thinks the server is using is not actually the certificate that is being presented during the SSL handshake. This is why the SSLFTPCertificateException has a method for printing it out, thus allowing the developer to inspect and/or use the actual certificate presented.

Another possible issue is that there a 3 certificates presented. Try setting SSLFTPStandardValidator.MAX_CERTIFICATE_CHAIN_LENGTH to 3.

- Hans (EDT)