Hello,
I have a Windows service that transfers files via FTPS. The service normally runs under a Windows user that was set up to have appropriate permissions to access various Windows shares.
When the service runs under this Windows user, I receive the following log when trying to upload a file to an FTPS server:
2015-04-13 12:48:14.086 INFO Ftp(1) Info: Connecting to XXXXXXXX:21 using Ftp 4.0.5577.0.
2015-04-13 12:48:14.086 INFO Ftp(1) Info: Using proxy none.
2015-04-13 12:48:14.115 INFO Ftp(1) Response: 220 (vsFTPd 2.2.2)
2015-04-13 12:48:14.122 INFO Ftp(1) Command: AUTH TLS
2015-04-13 12:48:14.122 INFO Ftp(1) Response: 234 Proceed with negotiation.
2015-04-13 12:48:14.142 INFO Ftp(1) TLS: State StateChange:Negotiating
2015-04-13 12:48:14.142 DEBUG Ftp(1) TLS: HandshakeMessage:ClientHello was sent.
2015-04-13 12:48:14.161 DEBUG Ftp(1) TLS: HandshakeMessage:ServerHello was received.
2015-04-13 12:48:14.165 DEBUG Ftp(1) TLS: HandshakeMessage:Certificate was received.
2015-04-13 12:48:14.167 DEBUG Ftp(1) TLS: HandshakeMessage:CertificateRequest was received.
2015-04-13 12:48:14.167 DEBUG Ftp(1) TLS: HandshakeMessage:ServerHelloDone was received.
2015-04-13 12:48:15.211 INFO Ftp(1) TLS: Certificate verification status: UnknownRev, OfflineRev (0)
2015-04-13 12:48:15.216 INFO Ftp(1) TLS: Alert Alert:Alert was sent.
2015-04-13 12:48:15.216 INFO Ftp(1) TLS: State StateChange:Closed
2015-04-13 12:48:15.227 ERROR Ftp(1) Info: Rebex.Net.TlsException: Unable to perform revocation check of the server certificate. ---> Rebex.Net.TlsException: Unable to perform revocation check of the server certificate. ---> Rebex.Net.TlsException: Unable to perform revocation check of the server certificate.
at Rebex.Net.WHB.CE(String A, CertificateChain B)
at Rebex.Net.WHB.EE(Byte[] A, Int32 B, Int32 C, HHB D)
at Rebex.Net.WHB.KC(Byte[] A, Int32 B, Int32 C)
at Rebex.Net.VHB.CD(Byte[] A, Int32 B, Int32 C)
at Rebex.Net.VHB.HD()
--- End of inner exception stack trace ---
at Rebex.Net.VHB.HD()
at Rebex.Net.VHB.PD()
at Rebex.Net.TlsSocket.Negotiate()
at Rebex.Net.CS.UB(TlsParameters A)
at Rebex.Net.Ftp.KN(TlsParameters A, FtpSecureUpgradeType B)
at Rebex.Net.Ftp.BN(String A, Int32 B, TlsParameters C, FtpSecurity D)
--- End of inner exception stack trace ---
at Rebex.Net.Ftp.BN(String A, Int32 B, TlsParameters C, FtpSecurity D)
I noticed a previous question regarding this error at http://forum.rebex.net/4326/unable-to-perform-revocation-check-the-server-certificate . That page mentioned to try to run the service as the LocalSystem user and see if it worked. Indeed, when running as the LocalSystem user, the file transfer works, as shown below:
2015-04-13 12:43:39.096 INFO Ftp(1) Info: Connecting to XXXXXXXX:21 using Ftp 4.0.5577.0.
2015-04-13 12:43:39.096 INFO Ftp(1) Info: Using proxy none.
2015-04-13 12:43:39.127 INFO Ftp(1) Response: 220 (vsFTPd 2.2.2)
2015-04-13 12:43:39.133 INFO Ftp(1) Command: AUTH TLS
2015-04-13 12:43:39.134 INFO Ftp(1) Response: 234 Proceed with negotiation.
2015-04-13 12:43:39.154 INFO Ftp(1) TLS: State StateChange:Negotiating
2015-04-13 12:43:39.154 DEBUG Ftp(1) TLS: HandshakeMessage:ClientHello was sent.
2015-04-13 12:43:39.173 DEBUG Ftp(1) TLS: HandshakeMessage:ServerHello was received.
2015-04-13 12:43:39.176 DEBUG Ftp(1) TLS: HandshakeMessage:Certificate was received.
2015-04-13 12:43:39.178 DEBUG Ftp(1) TLS: HandshakeMessage:CertificateRequest was received.
2015-04-13 12:43:39.178 DEBUG Ftp(1) TLS: HandshakeMessage:ServerHelloDone was received.
2015-04-13 12:43:39.312 DEBUG Ftp(1) TLS: HandshakeMessage:Certificate was sent.
2015-04-13 12:43:39.321 DEBUG Ftp(1) TLS: HandshakeMessage:ClientKeyExchange was sent.
2015-04-13 12:43:39.354 DEBUG Ftp(1) TLS: CipherSpec:ChangeCipherSpec was sent.
2015-04-13 12:43:39.355 DEBUG Ftp(1) TLS: HandshakeMessage:Finished was sent.
2015-04-13 12:43:39.373 DEBUG Ftp(1) TLS: CipherSpec:ChangeCipherSpec was received.
2015-04-13 12:43:39.375 DEBUG Ftp(1) TLS: HandshakeMessage:Finished was received.
2015-04-13 12:43:39.375 INFO Ftp(1) TLS: State StateChange:Secured
2015-04-13 12:43:39.376 INFO Ftp(1) TLS: Connection secured using cipher: TLS 1.1, RSA, 168bit TripleDES in CBC mode, SHA1
However, my service needs to run under a normal Windows user so that it may access Windows shares.
What permissions might I need to change to allow my normal Windows user to verify the certificate?
Note: the certificate that I am verifying in this test is one that was created by our own internal certificate authority. I have installed our certificate authority in the Trusted Root Certification Authorities on this machine. (Just in case that makes a difference.)
Thanks!