SSLFTP: server certificate could not be validated

Question

I am trying to use implicit FTPS with server validation. Sometimes it is working and sometimes I am getting the error "Server certificate could not be validated". Can someone please help? Thanks

Here is my java code.

// at one point, I got error "certificate chain is too long, so I added the line below
SSLFTPStandardValidator.MAX_CERTIFICATE_CHAIN_LENGTH = 5;

// create client
ftp = new SSLFTPClient();

// disable standard SSL closure
ftp.setConfigFlags(SSLFTPClient.ConfigFlags.DISABLE_SSL_CLOSURE);

// set remote host
ftp.setRemoteHost(host);

// load root certificates
ftp.getRootCertificateStore().importPEMFile(serverCertFilename);

ftp.setCustomValidator(new SSLFTPStandardValidator(false));

// set implicit mode
ftp.setImplicitFTPS(true);

Here is the error mesage:
ERROR [SSLSocket] 9 Jun 2011 13:43:16.082 : internalSocket() failed - closing socket : Server certificate coul
d not be validated.
com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated.

Answer 1

Is this always with the same server? Could you enable logging at the ALL level and send us the log file?

Answer 2

It is always the same server. The problem occurs randomly. Here is more log info. Thank you very much for your quick response.

INFO [ftpstest.UseFTPSWithServerValidation] 10 Jun 2011 11:13:27.537 : Creating FTPS c
lient
INFO [SSLFTPClient] 10 Jun 2011 11:13:27.568 : edtFTPj - PRO version
INFO [LicensePropertiesBase] 10 Jun 2011 11:13:27.584 : Licence expiry date: 31 Dec 9999
INFO [LicensePropertiesBase] 10 Jun 2011 11:13:27.584 : Production licence
INFO [puretls] 10 Jun 2011 11:13:27.662 : PureTLS debug level=0
INFO [com.tdsecurities.loaniq.ftpstest.UseFTPSWithServerValidation] 10 Jun 2011 11:13:27.662 : Setting configu
ration flags
INFO [com.tdsecurities.loaniq.ftpstest.UseFTPSWithServerValidation] 10 Jun 2011 11:13:27.662 : Setting remote
host
INFO [com.tdsecurities.loaniq.ftpstest.UseFTPSWithServerValidation] 10 Jun 2011 11:13:27.678 : Loading server
certificate from cert_test.pem
INFO [cryptix] 10 Jun 2011 11:13:27.693 : GLOBAL_TRACE=false
INFO [cryptix] 10 Jun 2011 11:13:27.693 : GLOBAL_DEBUG=false
INFO [cryptix] 10 Jun 2011 11:13:27.693 : GLOBAL_DEBUG_SLOW=false
INFO [com.tdsecurities.loaniq.ftpstest.UseFTPSWithServerValidation] 10 Jun 2011 11:13:27.725 : Connecting to s
erver ftps.tdbank.ca
ERROR [SSLSocket] 10 Jun 2011 11:13:27.850 : internalSocket() failed - closing socket : Server certificate cou
ld not be validated.
com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated.
at com.enterprisedt.net.puretls.n.B(Unknown Source)
at com.enterprisedt.net.puretls.Z.B(Unknown Source)
at com.enterprisedt.net.puretls.n.E(Unknown Source)
at com.enterprisedt.net.puretls.i.G(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.internalSocket(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.connect(Unknown Source)
at ftpstest.UseFTPSWithServerValidation.main(UseFTPSWithServerValidation.java:
112)


com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated.
at com.enterprisedt.net.puretls.n.B(Unknown Source)
at com.enterprisedt.net.puretls.Z.B(Unknown Source)
at com.enterprisedt.net.puretls.n.E(Unknown Source)
at com.enterprisedt.net.puretls.i.G(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.internalSocket(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.connect(Unknown Source)
at ftpstest.UseFTPSWithServerValidation.main(UseFTPSWithServerValidation.java:
112)
com.enterprisedt.net.puretls.cert.CertificateVerifyException: Server certificate could not be validated.
at com.enterprisedt.net.puretls.n.B(Unknown Source)
at com.enterprisedt.net.puretls.Z.B(Unknown Source)
at com.enterprisedt.net.puretls.n.E(Unknown Source)
at com.enterprisedt.net.puretls.i.G(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.internalSocket(Unknown Source)
at com.enterprisedt.net.puretls.SSLSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.connect(Unknown Source)
at ftpstest.UseFTPSWithServerValidation.main(UseFTPSWithServerValidation.java:
112)

Answer 3

There's a good chance that this is happening because the server is presenting a certificate that's different from the one you expect. You can connect and download the presented certificate by using the method SSLFTPClient.getServerCertificate(String,int,boolean). This method returns an SSLFTPCertificate object, which you can then write to a PEM file using the SSLFTPClient.writePEM() method. Once you have the certificate, try comparing it with the one you're currently using and also try connecting using that certificate.

-Hans (EnterpriseDT)

Answer 4

but why for the same PEM file sometimes work and sometimes not? Maybe the way how we get our certificate file is not correct.

Here is how I got my certificate file.

We are using a software WS FTP Pro to first connect to the server manually. The first time when we connect to the server, we get the message box popup and we select "Trust this certificate". We then export the certificate to a file and rename the file as .PEM. I am not sure if this is the proper way to get the server certificate. If we use the same user id on different PC to do the same thing, we get a different certificate file.

Answer 5

It should always work, unless there's a firewall somehow interfering (we've seen that happen).

Try emailing us (support@enterprisedt.com) a zipped log file at the ALL level of logging.