Getting Certificate Error

+1 vote
asked Nov 14, 2015 by ktola (170 points)

It appears that in your older version, people were able to pass in TlsParameters to overcome Server certificate was rejected by the verifier because of an unknown certificate authority errors while using FTP. The current version no longer allows this option and I am stuck.

I purchased your software today instead of writing my own code to save time as I am under an incredibly tight deadline. I really need to figure this out ASAP if at all possible.

Currently I can use a range of FTP products to connect with no issue but your software bombs every time with the same error.

Can you please let me know how to overcome this error? Here is my code:

TlsParameters par = new TlsParameters();
par.CertificateVerifier = new FingerprintVerifier();               
rebexClient.Connect(ConfigurationManager.AppSettings["RebexUrl"], int.Parse(ConfigurationManager.AppSettings["RebexPort"]), SslMode.Implicit);
Applies to: Rebex FTP/SSL

1 Answer

+1 vote
answered Nov 15, 2015 by Tomas Knopp (58,890 points)
selected Nov 16, 2015 by ktola
 
Best answer

The TlsParameters field has been deprecated however, there is the ftp.Settings property that now holds the functionality. To set the verifier, either use ftp.Settings.SslServerCertificateVerifier
property, or

there is the ftp.ValidatingCertificate event that can be used to verify server certificate based on its fingerprint. Try this code:

Ftp ftp = new Ftp();
ftp.ValidatingCertificate += ftp_ValidatingCertificate;

ftp.Connect("server", SslMode.Implicit);
ftp.Disconnect();


    // A custom certificate verification handler.
    private static void ftp_ValidatingCertificate(object sender, SslCertificateValidationEventArgs e)
    {
        // get a string representation of the certificate's fingerprint
        string fingerprint = e.Certificate.Thumbprint;

        // check whether the fingerprint matches the desired fingerprin
        bool ok = ...;

        if (ok)
            e.Accept();
        else
            e.Reject();
    }

More details on how to solve the "Server certificate has been rejected by the verifier exception"

commented Nov 16, 2015 by ktola (170 points)
Thank you for your help!
commented Nov 16, 2015 by Tomas Knopp (58,890 points)
You're welcome. Just one more note on the "Server certificate was rejected by the verifier because of an unknown certificate authority":

This error message means that the certificate authority that issued the server certificate is not in the list of trusted authorities on your computer / device. For this reason, the identity of the server could not have been verified. This problem can be solved by adding the certificate of the root CA that signed the server certificate into the list of trusted certification authorities as described at http://blog.rebex.net/news/archive/2009/03/30/introduction-to-public-key-certificates.aspx or using Rebex CertificateStore class - check out the Verifier.cs/.vb file in the FtpWinFormClient sample for information on how to do this in a custom certificate verification handler.
commented Nov 16, 2015 by Tomas Knopp (58,890 points)
So to sum it up, verifying the certificate via FingerPrint is a last remedy only and is not definitely as secure as the standard means. If an attacker knows what FingerPrint you are expecting, they might easily create a fake certificate that would pass your verifier.

However, still the Fingerprint check is far better than skipping the certificate validation completely.
...