Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
17k views
in Java FTP by (1.3k points)
Hello,

on some occations I am getting the exception:
com.enterprisedt.net.puretls.cert.CertificateVerifyException

However this exception is not documented in the API on http://www.enterprisedt.com/products/ed ... index.html

On older version (3.0.1), where SSLFTPCertificateException is thrown, I could obtain the certificates by accessing its methods. Could you provide some information about the classes inside puretls.* especially the classes connected to the CertificateVerifyException.

Thank you

18 Answers

0 votes
by (48k points)
Hi

Our classes are not meant to throw CertificateVerifyExceptions, so there must be a bug there somewhere. Could you please e-mail a DEBUG level log to support@enterp... so that we can trace this bug? Also, if the stack-trace is not in the log then please paste it into your message, since this is obviously the most important part in identifying how the exception is slipping through the gates.

Thanks
0 votes
by (1.3k points)
Email sent.

I have another question.
When turning ssl server validation to on, is it possible to treat the certificate as valid, if just the end certificate is loaded? like the way in firefox, we dont have to import whole certificate chain.
The ftp client seems want to check the whole certificate chain of the ftp server and throws a validation exception if one of the certificate in the chain is not loaded (if the intermediate or root is not loaded)
0 votes
by (158k points)
You can just load the server certificate.
0 votes
by (1.3k points)
I loaded the end certificate. But get that exception. The server uses a certificate chain, I just loaded the end user certificate and did not load the whole certificate in the chain.
0 votes
by (158k points)
Ok, the bug that caused CertificateVerifyException to be thrown is fixed - this will be in 3.1.2.

Have you tried loading the CA certificate only?
0 votes
by (48k points)
FYI, the static method com.enterprisedt.net.ftp.ssl.SSLFTPClient.[url=http://www.enterprisedt.com/products/edtftpjssl/doc/api/com/enterprisedt/net/ftp/ssl/SSLFTPClient.html#getServerCertificate(java.lang.String, int)]getServerCertificate(String,int)[/url] queries the server for the SSL certificate and returns it as an SSLFTPCertificate.

- Hans (EnterpriseDT)
0 votes
by (1.3k points)
Bruce, I didnt try to load the CA cert only since it is not my intention. My intention is to load the end certificate and it should be ok.
But anyway, there are lots of TLS implementation, in which the servers do not send the whole cert in the certificate chain to the client but only its own certificate although it is not a self signed one, so that I can not import the CA cert on the fly.

Hans, thats a nice method.. Will it return the end certificate only or the whole certs in the chain sent by the server?
0 votes
by (48k points)
It only returns the end certificate.
0 votes
by (1.3k points)
Hans, I tried the method you mentioned and got Read timed out.

com.enterprisedt.net.ftp.ControlChannelIOException: Control channel unexpectedly closed ('
at com.enterprisedt.net.ftp.FTPControlSocket.A(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.E(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.F(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPControlSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.connect(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.getServerCertificate(Unknown Source)

com.enterprisedt.net.ftp.ControlChannelIOException: Read timed out
at com.enterprisedt.net.ftp.FTPControlSocket.A(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.E(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.F(Unknown Source)
at com.enterprisedt.net.ftp.FTPControlSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPControlSocket.<init>(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.connect(Unknown Source)
at com.enterprisedt.net.ftp.ssl.SSLFTPClient.getServerCertificate(Unknown Source)

SSLFTPCertificate cert = SSLFTPClient.getServerCertificate("demo.intra.net", 7135);

I rechecked the server name and port. It can be connected by openssl command line on the same host. I also tried to connect to a port on localhost but same exception is thrown.
0 votes
by (48k points)
It's strange. It looks like the disconnect occurs immediately after connecting before any communication actually takes place. But if that were the case then other clients should have the same problem. Since you published the host-name and port-number, I took the liberty of trying it myself, but I did not manage to connect at all. I guess you've either posted dummy connection details or have taken the server offline. Is there any chance I could have a chance to connect? It will make debugging much easier since I will be able to see where the disconnect occurs. If you prefer to keep the connection details confidential then please e-mail them to support@enter...

Categories

...