FTPS client - Server certificate could not be validated

Question

FTPS client - Server certificate could not be validated

asked Aug 25, 2010 in Java FTP by GeorgeT (300 points)

Hello friends,

Our partner - FTPS server owner - re-issues their Server certificate
They asked us to test our client connection using a test server they provided for this purpose.
Our tests fail with the error "Server certificate could not be validated".

How should I tackle this issue in order to make sure / prove that there it is something wrong with the new certificate.
Whether the new certificate if fine what else can be wrong .
Are any tools out there (Windows tools - free is possible) which I can use to test the server certificate ?

Below is the error stack trace :
com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated.
at com.enterprisedt.net.puretls.n.B(Unknown Source)
at com.enterprisedt.net.puretls.Z.B(Unknown Source)
at com.enterprisedt.net.puretls.n.E(Unknown Source)
at com.enterprisedt.net.puretls.i.G(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.handshake(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPControlSocket.E(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.auth(Unknown Source)

Thank you in advance for any help,
George

5 Answers

GeorgeT · Answer 1 · 2010-08-25T15:24:42+0000

Hi ,
I was digging further and tested the client side of FTPS connection using a free tool - WinSCP .

It is interesting that the utility gives me some certificate information.

There is Summary in that info which tells me :

"Self signed certificate in certificate chain. The error occurred at a depth of 4 in the certificate chain"

I am not sure what exactly it means but it looks like reports an error .
Can the that error having the same cause I get :
"com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated." ??

Thank you and best regards,
George

support2 · Answer 2 · 2010-08-25T23:10:58+0000

One thing to try is to set SSLFTPStandardValidator.MAX_CERTIFICATE_CHAIN_LENGTH = 4

GeorgeT · Answer 3 · 2010-08-26T10:45:46+0000

Thank you Bruce for your support.
I did that already but I think there might be another validation issue .
I guess that the server host name not be the CN (common name) .
How can I find out the CN - Common Name - from the server certificate .

Thank you for helping me ,
George

GeorgeT · Answer 4 · 2010-08-26T13:52:02+0000

Hi Bruce ,
Beside SSLFTPStandardValidator.MAX_CERTIFICATE_CHAIN_LENGTH = 4 I also disabled the host name validation (via SSLFTPStandardValidator(false)).
The server certificate has been validated this time , thank you very mcuh for help.

I still have a question for you please.
The indicator that the certificate was issued to the server directly by a CA is that the length of the certificate chain is no more than 2.
Where can I find more details about this topic (length of certificate chain).
Could you please send me a link which details the above.

Thank you and best regards ,
George

support2 · Answer 5 · 2010-08-27T02:17:41+0000

Sure, there's some info here:

http://publib.boulder.ibm.com/infocente ... s7dca.html

FTPS client - Server certificate could not be validated

Please log in or register to add a comment.

Please log in or register to answer this question.

5 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Categories