Cyberduck
Mountain Duck
CLI#8698 closed defect (duplicate)
Certificate Chain not displayed correctly in some cases
| Reported by: | actionverb | Owned by: | dkocher |
|---|---|---|---|
| Priority: | normal | Milestone: | 4.7.3 |
| Component: | core | Version: | 4.6.5 |
| Severity: | normal | Keywords: | |
| Cc: | Architecture: | ||
| Platform: |
Description (last modified by actionverb)
In some circumstances, Cyberduck fails to display the complete certificate chain. I recently installed a certificate, and noticed that while Cyberduck accepts the certificate as valid and displays no errors when connecting to it, the pane revealed by clicking the lock icon only shows part of the chain. This happens for both DAV HTTPS connections as well as FTPS connections.
In most cases, it shows all but the last (most specific) certificate (see cert_issue1.png). In at least one case that I cannot seem to reproduce now, it showed only the root certificate (see cert_issue2.png). I confirmed that there is nothing hidden outside of the visible area.
With debug mode (Cyberduck Version 4.6.5 (17000) on OS X 10.10.2), I found the following entry:
Error adding certificate to Keychain
I have confirmed with the vendor that the certificate is valid and correctly installed, and it works properly in every other FTP app and browser I've tried. I tested the certificate chain manually with openssl s_client.
I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.
Attachments (4)
Change History (16)
Changed on Mar 25, 2015 at 5:36:34 PM by actionverb
Changed on Mar 25, 2015 at 5:36:59 PM by actionverb
Shows only the root certificate, not the rest of the chain
comment:1 Changed on Mar 25, 2015 at 5:37:42 PM by actionverb
- Description modified (diff)
comment:2 Changed on Mar 25, 2015 at 5:39:21 PM by actionverb
- Description modified (diff)
comment:3 in reply to: ↑ description Changed on Mar 27, 2015 at 10:26:38 PM by dkocher
Replying to actionverb:
I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.
Can you confirm that you have seen the same issues with this certificate chain on Cyberduck for Windows.
comment:4 Changed on Mar 27, 2015 at 11:03:50 PM by actionverb
Confirmed, we only saw the root certificate when testing on Windows 8.1 with Cyberduck 4.6.5. I am happy to assist if there is any other information or testing needed.
comment:5 Changed on Mar 28, 2015 at 6:00:31 AM by dkocher
- Component changed from interface to core
- Milestone set to 4.7
- Status changed from new to assigned
Changed on Mar 28, 2015 at 9:03:18 PM by dkocher
comment:6 Changed on Mar 28, 2015 at 9:04:28 PM by dkocher
I am trying to reproduce this issue on OS X and get a complete chain displayed as returned by the server.
comment:7 Changed on Mar 28, 2015 at 9:06:28 PM by dkocher
- Resolution set to worksforme
- Status changed from assigned to closed
Can you try with a guest user account (that has no certificates added in the Keychain (on Mac) or Certificate Store (on Windows) that might interfere when building the trust chain. Please reopen with exact steps to reproduce if possible.
comment:8 Changed on Jun 18, 2015 at 11:59:59 AM by dkocher
New duplicate issue in #8885.
comment:9 in reply to: ↑ description Changed on Aug 24, 2015 at 8:36:15 AM by dkocher
Replying to actionverb:
With debug mode (Cyberduck Version 4.6.5 (17000) on OS X 10.10.2), I found the following entry:
Error adding certificate to Keychain
Fixed in r17291.
comment:10 Changed on Aug 24, 2015 at 9:11:06 AM by dkocher
- Milestone changed from 4.7 to 4.8
In r18030.
comment:11 Changed on Aug 24, 2015 at 9:16:44 AM by dkocher
- Resolution worksforme deleted
- Status changed from closed to reopened
comment:12 Changed on Aug 24, 2015 at 9:16:57 AM by dkocher
- Resolution set to duplicate
- Status changed from reopened to closed
Panel showing entire cert chain except for the last.