WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase :: Support Forum

Makc666
Joined:: 2016-12-08
Posts:: 50
Location:: MSK-RU

WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

2016-12-08 16:30

P.S. Martin created https://winscp.net/tracker/1490

No problems with WinSCP 5.9.1.
After upgrading to WinSCP 5.9.3 the problem appeared.
Rolling back to WinSCP 5.9.1 solves the problem.

I have a pkcs12 file which has private key and certificate with chain certificates in it.
It was created using the command:

openssl pkcs12 -export -inkey <private_key_file>.key -in <you_cert_file_with_chain>.pem -out certificate_client_nopass.pkcs12.pfx -name <some_friendly_name_here>

While executing this command NO password was entered.
So I have certificate_client_nopass.pkcs12.pfx file which is not encrypted with the password.

I start like:

winscp.com /ini=nul /script="FTPS_Script.txt"

FTPS_Script.txt has something like:

open ftpes://user:pass@ip:port/ -passive=on -explicit -certificate="*" -clientcert="certificate_client_nopass.pkcs12.pfx" -rawsettings CacheDirectories=0 CacheDirectoryChanges=0 FtpForcePasvIp2=0 FtpPingInterval=10 FtpListAll=1 SslSessionReuse=0 MinTlsVersion=12 -timeout=999

It is working perfect in WinSCP 5.9.1.

After upgrading to WinSCP 5.9.3 it doesn't work any more.

WinSCP begins to write message in LOG file:

. 2016-12-08 14:54:43.011 Certificate is encrypted, need passphrase

I will attach two logs file in next message.

<you_cert_file_with_chain>.pem file looks like:

subject=/L=Moscow/ST=Moscow/C=RU/O=Maxim/OU=Test/CN=test.com
issuer=/C=US/O=COMPANE/OU=Service Association/CN=External CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=External CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Last edited by Makc666 on 2016-12-22 09:13; edited 3 times in total

Reply with quote

Makc666
Joined:: 2016-12-08
Posts:: 50
Location:: MSK-RU

2016-12-08 16:35

Here are two logs.
One from WinSCP 5.9.1 and other from WinSCP 5.9.3.
The only difference is WinSCP version.
No other changes.

Note at lines:

WinSCP_v5-9-1_Good.txt

. 2016-12-08 15:05:30.507 User name: USERNAME (Password: Yes, Key file: No)
...
no such line
...
. 2016-12-08 15:05:31.904 Server asks for authentication with a client certificate.
. 2016-12-08 15:05:32.402 Verifying certificate for "Cert_CA_NAME" with fingerprint 11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22 and 19 failures
* 2016-12-08 15:05:32.403 WARNING! Giving up security and accepting any certificate as configured!
. 2016-12-08 15:05:32.403 Using TLSv1.2, cipher TLSv1/SSLv3: AES128-SHA, 2048 bit RSA, AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
. 2016-12-08 15:05:32.403 TLS connection established. Waiting for welcome message...

WinSCP_v5-9-3_Bad.txt

. 2016-12-08 14:54:43.010 User name: USERNAME (Password: Yes, Key file: No, Passphrase: No)
...
. 2016-12-08 14:54:53.013 Certificate is encrypted, need passphrase
...
. 2016-12-08 14:55:04.381 Server asks for authentication with a client certificate.
. 2016-12-08 14:55:04.744 Disconnected from server

WinSCP_v5-9-3_Bad.txt (2.01 KB)

Description: WinSCP_v5-9-3_Bad.txt

WinSCP_v5-9-1_Good.txt (2.57 KB)

Description: WinSCP_v5-9-1_Good.txt

Reply with quote

Makc666
Joined:: 2016-12-08
Posts:: 50
Location:: MSK-RU

2016-12-08 16:37

And one more note.

According to:
https://winscp.net/eng/docs/history

5.9.3
Support for non-ASCII passphrases to client certificate files (.pfx/.p12 format). 1461
https://winscp.net/tracker/1461#c1

This can be connected with this change.

Reply with quote

Makc666

2016-12-12 10:13

Martin, you need any more information from me to look into this one?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,390
Location:: Prague, Czechia

2016-12-12

Can you provide me a sample certificate for testing?

Reply with quote

Makc666
Joined:: 2016-12-08
Posts:: 50
Location:: MSK-RU

2016-12-13 14:37

Martin, here is the archive with the certificates and scripts to test.
One certificate with NO password.
Second certificate with password. Password it "test" - also it is listed in .txt file inside archive.

Put proper version of

WinSCP.com
WinSCP.exe

to folders:

WinSCP v5.9.1
WinSCP v5.9.3

One more comment.

When you try to use that .PFX file with NO password in WinSCP.exe v5.9.3 you will get a windows with "Client certificate passphrase" request (attached).
If you do the same in WinSCP.exe v5.9.1 there will be no problems.

WinSCP_v5-9-3_window_passphrase_01.png (6.48 KB)

certificate_client_2016-12-13_01.zip (11.75 KB)

Description: .
-------------------------------
Put proper version of
WinSCP.com
WinSCP.exe
to folders:
WinSCP v5.9.1
WinSCP v5.9.3
-------------------------------

Reply with quote

martin◆ Site Admin

2016-12-16

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Reply with quote

Makc666
Joined:: 2016-12-08
Posts:: 50
Location:: MSK-RU

2016-12-16 11:56

Martin,

the one you sent me works well (v5.10 Dev Build 7191 2016-12-16).
I tested withOUT -passphrase and -passphrase=pass.

Do you need some other tests from me to do with this case?

Thanks!

Reply with quote