FTPS does not recognize Subject Alternative Name

Please report only one bug per message!

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

FTPS does not recognize Subject Alternative Name

Post by *Sob »

I found a little problem with TC's FTP client when using encrypted connection to server. Certificates often support more hostnames in form of Subject Alternative Name, but it seems that TC only checks hostname against Common Name. If it does not match, TC shows "The presented server certificate seems to belong to a different server name!", even though the certificate is valid for the given hostname, only it has it listed as SAN.

I don't have a live server available for testing, but I prepared simple local test:
  • Download http://web.hisoftware.cz/sob/tc/ftps-san-test.7z and unpack it to some empty directory
  • Add contents of host.sample.txt to system hosts file (usually C:\Windows\System32\drivers\etc\hosts)
  • Edit paths to totalcmd.exe and openssl.exe in .bat files
  • Run start-server.bat to simulate local FTP server (*1) with implicit SSL using openssl.exe
  • Run start-totalcmd.bat to start TC with local ini files with configured trusted test CA
  • Connect to ftps://test.example.net:990/ (*2) - TC will accept certificate -> correct
  • Connect to ftps://example.net:990/ (*2) - TC will not accept certificate automatically -> bug
-
(*1) TC will get stuck after USER command, because it's not actual working FTP server, but it's enough to test certificate verification
(*2) There are connections saved in wcx_ftp.ini
Top
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48075
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:
Contact ghisler(Author)

Post by *ghisler(Author) »

Indeed TC currently doesn't handle certain wildcard and multi certificates. If you know the RFC where they are defined, I will try to support them. I just don't know what format to expect.
Author of Total Commander
https://www.ghisler.com
Top
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

This should be the right RFC:
https://tools.ietf.org/html/rfc5280#section-4.2.1.6

And following is simple C example how to get it using OpenSSL:
http://web.hisoftware.cz/sob/tc/san-openssl.7z

TC uses OpenSSL too, so I hope it may be useful. I'm not saying that it's necessarily 100% correct, just quick "Google&paste", but it works. So at least as a pointer where to look...

Included certificate server2.pem has DNS, IPv4 and IPv6 SANs. But I can't seem to find rules for IP addresses, if it's just when user connects directly to numeric address or if it's valid also for resolved addresses. In any case, alternative DNS names in certificates are common, IP addresses are not, so if TC did not support the latter, I doubt there would be too many complaints. :)
Top
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48075
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:
Contact ghisler(Author)

Post by *ghisler(Author) »

I will analyze it, thanks.
Author of Total Commander
https://www.ghisler.com
Top
Post Reply

Return to “TC8.5x bug reports (English)”