Cyberduck Mountain Duck CLI

#8698 closed defect (duplicate)

Certificate Chain not displayed correctly in some cases

Reported by: actionverb Owned by: dkocher
Priority: normal Milestone: 4.7.3
Component: core Version: 4.6.5
Severity: normal Keywords:
Cc: Architecture:
Platform:

Description (last modified by actionverb)

In some circumstances, Cyberduck fails to display the complete certificate chain. I recently installed a certificate, and noticed that while Cyberduck accepts the certificate as valid and displays no errors when connecting to it, the pane revealed by clicking the lock icon only shows part of the chain. This happens for both DAV HTTPS connections as well as FTPS connections.

In most cases, it shows all but the last (most specific) certificate (see cert_issue1.png). In at least one case that I cannot seem to reproduce now, it showed only the root certificate (see cert_issue2.png). I confirmed that there is nothing hidden outside of the visible area.

With debug mode (Cyberduck Version 4.6.5 (17000) on OS X 10.10.2), I found the following entry:

Error adding certificate to Keychain

I have confirmed with the vendor that the certificate is valid and correctly installed, and it works properly in every other FTP app and browser I've tried. I tested the certificate chain manually with openssl s_client.

I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.

Attachments (4)

cert_issue1.png (139.3 KB) - added by actionverb on Mar 25, 2015 at 5:36:34 PM.
Panel showing entire cert chain except for the last.
cert_issue2.png (100.6 KB) - added by actionverb on Mar 25, 2015 at 5:36:59 PM.
Shows only the root certificate, not the rest of the chain
star.brickftp.com.cer (1.3 KB) - added by actionverb on Mar 25, 2015 at 5:45:21 PM.
The certificate in question
Screen Shot 2015-03-28 at 22.02.39.png (69.1 KB) - added by dkocher on Mar 28, 2015 at 9:03:18 PM.

Download all attachments as: .zip

Change History (16)

Changed on Mar 25, 2015 at 5:36:34 PM by actionverb

Panel showing entire cert chain except for the last.

Changed on Mar 25, 2015 at 5:36:59 PM by actionverb

Shows only the root certificate, not the rest of the chain

comment:1 Changed on Mar 25, 2015 at 5:37:42 PM by actionverb

  • Description modified (diff)

comment:2 Changed on Mar 25, 2015 at 5:39:21 PM by actionverb

  • Description modified (diff)

Changed on Mar 25, 2015 at 5:45:21 PM by actionverb

The certificate in question

comment:3 in reply to: ↑ description Changed on Mar 27, 2015 at 10:26:38 PM by dkocher

Replying to actionverb:

I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.

Can you confirm that you have seen the same issues with this certificate chain on Cyberduck for Windows.

comment:4 Changed on Mar 27, 2015 at 11:03:50 PM by actionverb

Confirmed, we only saw the root certificate when testing on Windows 8.1 with Cyberduck 4.6.5. I am happy to assist if there is any other information or testing needed.

comment:5 Changed on Mar 28, 2015 at 6:00:31 AM by dkocher

  • Component changed from interface to core
  • Milestone set to 4.7
  • Status changed from new to assigned

comment:6 Changed on Mar 28, 2015 at 9:04:28 PM by dkocher

I am trying to reproduce this issue on OS X and get a complete chain displayed as returned by the server.

comment:7 Changed on Mar 28, 2015 at 9:06:28 PM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

Can you try with a guest user account (that has no certificates added in the Keychain (on Mac) or Certificate Store (on Windows) that might interfere when building the trust chain. Please reopen with exact steps to reproduce if possible.

comment:8 Changed on Jun 18, 2015 at 11:59:59 AM by dkocher

New duplicate issue in #8885.

comment:9 in reply to: ↑ description Changed on Aug 24, 2015 at 8:36:15 AM by dkocher

Replying to actionverb:

With debug mode (Cyberduck Version 4.6.5 (17000) on OS X 10.10.2), I found the following entry:

Error adding certificate to Keychain

Fixed in r17291.

comment:10 Changed on Aug 24, 2015 at 9:11:06 AM by dkocher

  • Milestone changed from 4.7 to 4.8

In r18030.

Last edited on Aug 24, 2015 at 9:16:38 AM by dkocher (previous) (diff)

comment:11 Changed on Aug 24, 2015 at 9:16:44 AM by dkocher

  • Resolution worksforme deleted
  • Status changed from closed to reopened

comment:12 Changed on Aug 24, 2015 at 9:16:57 AM by dkocher

  • Resolution set to duplicate
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.
swiss made software