Archived Forum Post

Index of archived forum posts

Question:

FTP2: certificate validation on Windows

Nov 08 '16 at 13:28

Can anyone point me to any kind of documentation how ChilKat FTP2 validates the FTPS server certificate (on windows)?

1- Does it use the windows certificate stores or does it have some built in cert bundle? 2- Can I call the certificate validation that ChilKat uses manually? For example, ConnectOnly() followed by GetSslServerCert() and my own validation. Then if my own validation fails, I would like to fall back to ChilKat's SSL certificate validation.


Accepted Answer

The checks associated with the RequireSslCertVerify property are (1) verify that the certificate is not expired, and (2) verify the cert's signature with the issuer cert, then that issuer's certificate signature with its issuer, and so on, up to the root CA certificate (or a self-signed certificate). If all signatures are valid to the "root", then the question is: "Is the root trusted?". The answer to that has to do with the TrustedRoots class. The default is that the certs stored in the CA (registry-based) cert stores are trusted. You can explicitly identify root CA certs that your application will trust (and trust no others) via the TrustedRoots API.

You might also want to check out the TlsPinSet property, which is a standard property on any object that makes TLS connections. Here's an example with HTTP. The coding is no different w/ FTP, IMAP, etc. because it's just a matter of setting the property.

https://www.example-code.com/cpp/http_public_key_pinning.asp