Archived Forum Post

Index of archived forum posts

Question:

FTP2 version 9.5.051

Aug 17 '15 at 14:14

I downloaded and referenced the latest version to test it out. I ran into a problem with the loading of certificates.

  ChilkatLog:
  SetSslClientCert(94ms):
    DllDate: Jun 23 2015
    ChilkatVersion: 9.5.0.51
    UnlockPrefix: DMVCAGFTP
    Username: ISD-DSK-HV02:MVTWV
    Architecture: Little Endian; 32-bit
    Language: .NET 2.0
    VerboseLogging: 1
    mergeSysCerts:
      addCertificate:
        certHashEntry: 0A9B:dmvsftpbe1.sft.dmv.ca.gov
      --addCertificate
    --mergeSysCerts
    buildSslClientCertChain(94ms):
      constructCertChain(94ms):
        bMustReachRoot: 0
        buildCertChain(94ms):
          startCertDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
          initialCertChainSize: 0
          sysCertsFindIssuer(94ms):
            findBySubjectKeyId(63ms):
              crpFindBySubjectKeyId:
                findCertBySubjectKeyId: SubjectKeyId:LWfafvo+qBm/RSC18ajaHiLNGBg=
              --crpFindBySubjectKeyId
              msFindCertBySubjectKeyId(63ms):
                subjectKeyId: LWfafvo+qBm/RSC18ajaHiLNGBg=
                needPrivateKey: 0
                No match found in MY current-user certificate store.
                No match found in MY local-machine certificate store.
                No match found in AddressBook current-user certificate store.
                No match found in AddressBook local-machine certificate store.
                No match found in CA current-user certificate store.
                No match found in CA local-machine certificate store.
                No match found in ROOT current-user certificate store.
                No match found in ROOT local-machine certificate store.
              --msFindCertBySubjectKeyId
            --findBySubjectKeyId
            certReposFindIssuer:

Version 9.5.0.21 works fine.


Accepted Answer

Here is the solution. When the login certificate is installed, the private key must be marked as exportable. In the previous version of FTP2 it did not matter, now it does. Thanks Matt.


Answer

This does not seem to be the full contents of the LastErrorText. Was it truncated?


Answer

No I just cut out the irrelevant portion, however I can include it if you like.


Answer

Sorry tried to use the code, but it still looks like a jumble.

    ChilkatLog:
  SetSslClientCert(94ms):
    DllDate: Jun 23 2015
    ChilkatVersion: 9.5.0.51
    UnlockPrefix: DMVCAGFTP
    Username: ISD-DSK-HV02:MVTWV
    Architecture: Little Endian; 32-bit
    Language: .NET 2.0
    VerboseLogging: 1
    mergeSysCerts:
      addCertificate:
        certHashEntry: 0A9B:dmvsftpbe1.sft.dmv.ca.gov
      --addCertificate
    --mergeSysCerts
    buildSslClientCertChain(94ms):
      constructCertChain(94ms):
        bMustReachRoot: 0
        buildCertChain(94ms):
          startCertDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
          initialCertChainSize: 0
          sysCertsFindIssuer(94ms):
            findBySubjectKeyId(63ms):
              crpFindBySubjectKeyId:
                findCertBySubjectKeyId: SubjectKeyId:LWfafvo+qBm/RSC18ajaHiLNGBg=
              --crpFindBySubjectKeyId
              msFindCertBySubjectKeyId(63ms):
                subjectKeyId: LWfafvo+qBm/RSC18ajaHiLNGBg=
                needPrivateKey: 0
                No match found in MY current-user certificate store.
                No match found in MY local-machine certificate store.
                No match found in AddressBook current-user certificate store.
                No match found in AddressBook local-machine certificate store.
                No match found in CA current-user certificate store.
                No match found in CA local-machine certificate store.
                No match found in ROOT current-user certificate store.
                No match found in ROOT local-machine certificate store.
              --msFindCertBySubjectKeyId
            --findBySubjectKeyId
            certReposFindIssuer:
              issuerN: US, CA, Sacramento, State of California, Department of Motor Vehicles, dmvsftpbe1.sft.dmv.ca.gov, dmvsftpbe1, D59A3BF8D3A5484819F648C34D04A4B2
              Did not find issuer certificate.
            --certReposFindIssuer
            issuerDN: C=US, ST=CA, L=Sacramento, O=State of California, OU=Department of Motor Vehicles, CN=dmvsftpbe1.sft.dmv.ca.gov, OU=dmvsftpbe1, SERIALNUMBER=D59A3BF8D3A5484819F648C34D04A4B2
            msFindIssuer(31ms):
              msAddIssuer2:
                FindIssuerForCertDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
                Did not find the issuer certificate.
              --msAddIssuer2
              msAddIssuer1(31ms):
                FindIssuerForCertDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
                authorityKeyIdentifier: 2D67 DA7E FA3E A819 BF45 20B5 F1A8 DA1E
22CD 1818
                issuerCN: dmvsftpbe1.sft.dmv.ca.gov
                Did not find the issuer certificate.
              --msAddIssuer1
              success: 0
            --msFindIssuer
            Did not find issuer in MS certificate stores.
          --sysCertsFindIssuer
          finalCertChainSize: 1
          Unable to build certificate chain to root.
        --buildCertChain
        completedChainToRoot: 0
        numCertsInChain: 1
      --constructCertChain
    --buildSslClientCertChain
    Success.
  --SetSslClientCert
--ChilkatLog
ChilkatLog:
  Connect_Ftp2(953ms):
    DllDate: Jun 23 2015
    ChilkatVersion: 9.5.0.51
    UnlockPrefix: DMVCAGFTP
    Username: ISD-DSK-HV02:MVTWV
    Architecture: Little Endian; 32-bit
    Language: .NET 2.0
    VerboseLogging: 1
    ProgressMonitoring:
      enabled: yes
      heartbeatMs: 0
      sendBufferSize: 65536
    --ProgressMonitoring
    ImplicitSsl: 0
    AuthTls: 1
    AuthSsl: 1
    ftpConnect(953ms):
      Hostname: 205.225.192.110
      Port: 2121
      IdleTimeoutMs: 60000
      socket2Connect:
        connect2:
          hostname: 205.225.192.110
          port: 2121
          ssl: 0
          connectSocket:
            domainOrIpAddress: 205.225.192.110
            port: 2121
            connectTimeoutMs: 20000000
            connect_ipv6_or_ipv4:
              This is an IPV4 numeric address.
              Domain to IP address resolution not needed.
              connecting to IPV4 address...
              ipAddress: 205.225.192.110
              createSocket:
                Setting SO_SNDBUF size
                sendBufSize: 262144
                Setting SO_RCVBUF size
                recvBufSize: 4194304
              --createSocket
              connect:
                Waiting for the connect to complete...
                myIP: 165.153.130.82
                myPort: 50051
                socket connect successful.
              --connect
            --connect_ipv6_or_ipv4
          --connectSocket
        --connect2
      --socket2Connect
      Turning on TCP_NODELAY.
      socketOptions:
        SO_SNDBUF: 262144
        SO_RCVBUF: 4194304
        TCP_NODELAY: 1
        SO_KEEPALIVE: 0
      --socketOptions
      readCommandResponse(250ms):
        replyLineQP: 220-DMV Secure File Transfer
        replyLineQP: 220-
        replyLineQP: 220-
        replyLineQP: 220 Secure FTP Server ready.
        commandResponse: 220-DMV Secure File Transfer
220-
220-
220 Secure FTP Server ready.
        statusCode: 220
      --readCommandResponse
      initialStatus: 220
      initialResponse: 220-DMV Secure File Transfer
220-
220-
220 Secure FTP Server ready.
      converting to secure connection...
      authTls(703ms):
        sendCommand:
          sendingCommand: AUTH TLS
        --sendCommand
        readCommandResponse(609ms):
          replyLineQP: 234 TLSv1
          commandResponse: 234 TLSv1
          statusCode: 234
        --readCommandResponse
        convertToTls(94ms):
          Clearing TLS client certificates.
          clientHandshake(94ms):
            certChain:
              subjectDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
            --certChain
            cacheClientCerts:
              Cached TLS client certificates.
              certChain:
                subjectDN: C=US, ST=California, L=Sacramento, O=State of California - DMV, OU=DMV (Script Generated), CN=axwaytest-x509
              --certChain
            --cacheClientCerts
            clientHandshake2(94ms):
              readHandshakeMessages(78ms):
                processHandshakeRecord:
                  processHandshakeMessage:
                    processServerHello:
                      MajorVersion: 3
                      MinorVersion: 3
                      cipherSuite: RSA_WITH_AES_256_CBC_SHA
                      cipherSuiteNumeric: 00,35
                      compressionMethod: 0
                      minAcceptableRsaKeySize: 1024
                    --processServerHello
                  --processHandshakeMessage
                --processHandshakeRecord
              --readHandshakeMessages
              Sending client-side certificate(s)...
              sendClientCertificates:
                buildCertificatesMessage:
                  numCerts: 1
                --buildCertificatesMessage
              --sendClientCertificates
              buildClientKeyExchange:
                buildClientKeyExchangeRsa:
                  modulus_bitlen: 2048
                  bigEndian: 1
                  padding: PKCS 1.5
                --buildClientKeyExchangeRsa
              --buildClientKeyExchange
              getPrivateKey:
                certGetPrivateKeyAsDER:
                  Checking via Crypto API for a private key...
                --certGetPrivateKeyAsDER
                Unable to export the private key.
              --getPrivateKey
              sendCertificateVerify:
                Sending ClientCertVerify message...
                CertificateVerify using TLS 1.2 with MS Crypto API is not supported.  Use TLS 1.1 or lower.
              --sendCertificateVerify
              Failed to send client certificate verify message.
            --clientHandshake2
          --clientHandshake
          Client handshake failed. (1)
          connectionClosed: 0
        --convertToTls
        Failed to convert channel to SSL/TLS
      --authTls
    --ftpConnect
    Failed to connect to FTP server.
    Failed.
  --Connect_Ftp2
--ChilkatLog
220-DMV Secure File Transfer

220-
220-
220 Secure FTP Server ready.
AUTH TLS
234 TLSv1
ChilkatLog:
  ChangeRemoteDir:
    DllDate: Jun 23 2015
    ChilkatVersion: 9.5.0.51
    UnlockPrefix: DMVCAGFTP
    Username: ISD-DSK-HV02:MVTWV
    Architecture: Little Endian; 32-bit
    Language: .NET 2.0
    VerboseLogging: 1
    dir: /dmv-ddt-router/FromDMV
    changeRemoteDir:
      simplePathCommand:
        sendCommand:
          prepControlChannel:
            Cannot wait for socket data: not connected (invalid socket)
            socketError: Socket fatal error.
          --prepControlChannel
          Failed to ensure that the FTP control channel is clear and ready.
        --sendCom
    

Answer

Thanks jpbro for cleaning up that mess, here is the code where it is failing

if (lcert.SubjectCN.ToString() == certName) 
            {
                 //get certs exipre date
                DateTime expireDate = lcert.ValidTo;
                //Calc diff from curent date to exipre date
                var Days = (expireDate - Today1).Days;
                //If Certificates have 30's or less, start nagging 
                if (Days <= 30 && lcert.Expired != true)
                {

                    MessageBox.Show("Certificate will expire in " + Days + " Days " + "Thumbprint " + lcert.Sha1Thumbprint.ToString(), "Get New Cert From DMV");
                }

                if (lcert.Expired)

                { MessageBox.Show("This Cert is Expired  " + lcert.Sha1Thumbprint.ToString()," FGS will attempt to find a non expired cert  ");

                }
                //8.10.15 testing for version 9.5.0.55
                if (!lcert.Expired)
                { 
                    //success = cert.LoadByCommonName(certName);
                    cert = certStore.FindCertBySubjectCN(certName);
                }
            }

        }
        I commented out the above success = cert.LoadByCommonName(cert) this is where it just spun and writes out to the log. The above code is simply taking all the certificates in the certificate store and rolling thru them to find certificates issued by my company and make sure they are not expired. Works for version 9.5.0.21 but not for version 9.5.051. After I added a reference to the latest version my app stopped working.

Answer

Anyone anyone hello ?


Answer

Yes I understand, and I have submitted the paperwork to buy support.