FTPS with Client certificate - Weak SSL

All others add-ons (Secure FTP, SCP, Flickr, scripts ...).
Post Reply
User avatar
support
Posts: 1503
Joined: Sun Jan 27, 2008 6:19 pm

FTPS with Client certificate - Weak SSL

Post by support »

Deme, let's continue the FTPS discussion here as it could be useful for everyone.

There is a bug in WeakSSL 2.0 that makes client certificate sent to server on SSL handshake fail. However, I've just made it works without WeakSSL. Here are instructions if you want to try it:

1/ Remove WeakSSL.
Remove lib/weakssl.jar into all ARCHIVE parameter.
Remove the following parameter too:
<PARAM NAME="param6" VALUE="weakssl">
<PARAM NAME="value6" VALUE="true">

2/ Force user's Java keystore to be your PKCS12 file.
Open the Java control panel.
Start-> Control Panel -> Java -> Java tab -> Runtime parameters.
Add the following parameters:
-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=c:/tmp/deme.p12 -Djavax.net.ssl.keyStorePassword=xxxxxxx
(Replace xxxxx by the pass phrase)

3/ Import your self-signed CA certificate in Java trust store.
Into C:\Program Files\Java\jre1.6.0_06\lib\security:
a) Backup cacerts
b) Run the following command
C:\Program Files\Java\jre1.6.0_06\bin>keytool -import -trustcacerts
-file ca.crt -keystore ../lib/security/cacerts -storepass changeit

Then run the applet in your browser and you should upload working fine with your FTPS server.

I'm going to see how to fix the WeakSSL issue to avoid step2 and step3. Do you plan to use a trusted root certificate (such as Verisign, Thawte ...) or only self-signed when you will be in production ?

User avatar
support
Posts: 1503
Joined: Sun Jan 27, 2008 6:19 pm

Re: FTPS with Client certificate - Weak SSL

Post by support »

I've fixed the issue in WeakSSL to avoid Step1 and Step3. However, step 2 is still required.
I can provide the new WeakSSL version if you need.

Post Reply