Unexpected 10 seconds delay if TlsHostCertificateFingerprint is different :: Support Forum

FeelAirSlow
Joined:: 2025-06-13
Posts:: 6

Unexpected 10 seconds delay if TlsHostCertificateFingerprint is different

2025-06-14 07:33

Hello,
I'm using WinSCP 6.5.1 COM Automation to access a FTPS server.
I found that during the session initialization, after the TLS handshake, if the given TlsHostCertificateFingerprint is wrong, WinSCP waits 10 seconds before sending an error "Peer certificate rejected. Disconnected from server. Connection failed.", without exchanging any data with the server meanwhile.
I think it should abort immediately after receiving the server certificate, without waiting 10 seconds.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,162
Location:: Prague, Czechia

Re: Unexpected 10 seconds delay if TlsHostCertificateFingerprint is different

2025-06-16

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, set Session.SessionLogPath. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

FeelAirSlow
Joined:: 2025-06-13
Posts:: 6

Session log

2025-06-16 11:03

Hello, thank you for your reply !
I attached the requested log.
It seems that there is an interactive question that shouldn't be here, as WinSCP is called using COM automation.

WinSCP.log (7.05 KB, Private file)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,162
Location:: Prague, Czechia

Re: Session log

2025-06-24

Thanks for the log.

I have added this issue to the tracker:
Issue 2384 – Do not offer certificate verification in scripting if configuration is not persistent
You can vote for it there.

Reply with quote

Guest

2025-06-26 10:21

Hello,
I added my vote !

Indeed, I think that :

scripting should not have interactive behaviour: in this case, the question doesn't even show up, we just have a 10 seconds wait and can do nothing in script...
if a fingerprint IS NOT provided and we don't GiveUpSecurityAndAcceptAny, WinSCP should look in Certificate Store and give an immediate error (without 10 s wait) if no valid certificate is found
if a fingerprint IS provided, WinSCP should not even look in Certificate Store: if server certificate doesn't match the given fingerprint, WinSCP should just immediately give an appropriate error.

That way, our scripts using WinSCP are efficient and have a consistent behaviour.

Many thanks for all your great work and for your time in this forum!

Reply with quote

jacks004 Guest

Re: Error index:reindex Product Price

2025-06-28 03:32

A 10-second delay occurs when TlsHostCertificateFingerprint doesn’t match, due to the client retrying before failing the TLS handshake.

Reply with quote

FeelAirSlow
Joined:: 2025-06-13
Posts:: 6

2025-06-30 10:28

Hello jacks004,

A 10-second delay occurs when TlsHostCertificateFingerprint doesn’t match, due to the client retrying before failing the TLS handshake.

I don't think so.
We can see in the session log that there is indeed a question (that we can't see using scripting) and exactly 10 seconds after that, WinSCP cancels the session :

< 2025-06-30 11:03:20.874 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
< 2025-06-30 11:03:20.874 Continue connecting and store the certificate?
. 2025-06-30 11:03:30.877 Answer: Cancel
. 2025-06-30 11:03:30.877 Peer certificate rejected.

And the corresponding extended debug log shows the wait loop :

[2025-06-30 11:03:20.876] [0004]   ExeSessionProcess.ProcessEvent entering
[2025-06-30 11:03:20.876] [0004]     Acquiring communication structure
[2025-06-30 11:03:20.876] [0004]     Acquired communication structure
[2025-06-30 11:03:20.876] [0004]     ExeSessionProcess.ProcessChoiceEvent entering
[2025-06-30 11:03:20.876] [0004]       Options: [YNAC], Timer: [10000], Timeouting: [True], Timeouted: [-2], Break: [-1]
[2025-06-30 11:03:20.906] [0001]       Waiting for log update and dispatching events for 200
[2025-06-30 11:03:21.105] [0001]       Waiting for log update and dispatching events for 400
[2025-06-30 11:03:21.502] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:22.315] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:23.130] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:23.941] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:24.751] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:25.565] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:26.377] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:27.189] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:28.002] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:28.815] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:29.628] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:30.441] [0001]       Waiting for log update and dispatching events for 800
[2025-06-30 11:03:30.877] [0004]       Options Result: [-2]
[2025-06-30 11:03:30.877] [0004]     ExeSessionProcess.ProcessChoiceEvent leaving
[2025-06-30 11:03:30.877] [0004]     Releasing communication structure
[2025-06-30 11:03:30.877] [0004]     Released communication structure
[2025-06-30 11:03:30.877] [0004]     Response event set
[2025-06-30 11:03:30.877] [0004]   ExeSessionProcess.ProcessEvent leaving

Reply with quote

Unexpected 10 seconds delay if TlsHostCertificateFingerprint is different