tags:

views:

42

answers:

1
Q: 

FtpWebRequest EnableSSL error

I'm getting a "The remote certificate is invalid according to the validation procedure" exception message with the following code:

ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(MyCertValidationCb);

var request = (FtpWebRequest)WebRequest.Create(new Uri(myUri));
request.EnableSsl = true;
request.Method = WebRequestMethods.Ftp.UploadFile;
request.BeginGetRequestStream(EndGetStreamCallback, _state);


public static bool MyCertValidationCb(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors)
              == SslPolicyErrors.RemoteCertificateChainErrors)
    {
        return false;
    }
    if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch)
        == SslPolicyErrors.RemoteCertificateNameMismatch)
    {
        Zone z;
        z = Zone.CreateFromUrl(((FtpWebRequest)sender).RequestUri.ToString());
        if (z.SecurityZone == SecurityZone.Intranet
            || z.SecurityZone == SecurityZone.MyComputer)
        {
            return true;
        }
        return false;
    }
    return false;
}

The ftp server is filezilla. FTP over SSL is enabled, and Allow explicit FTP over TLS is also enabled. I've generated a certificate.crt file. Connected to the ftp location using filezilla client, and checked "Always trust this certificate" in the popup window.

In the MyCertValidationCb method, (sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors is always true.

If I change MyCertValidationCb to always return true, the ftp request goes through without a problem. I'm sure it's an issue with certificates. Anyone have any ideas?

A: 

The RemoteCertificateChainErrors was a result of not having the certificate in the Trusted Root Certification Authorities certificate store.

Filezilla generates a self signed certificate with the following format:

-----BEGIN RSA PRIVATE KEY-----

//hash

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

//hash

-----END CERTIFICATE-----

In order to import the certificate, remove the private key section and save the new file. Install that into the Trusted Root Certification Authorities certificate store.

Now the issue I'm having is RemoteCertificateNameMismatch, I'll post that in another topic.

Brian T  2010-09-08 18:07:21

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL