Context Navigation

← Previous Ticket
Next Ticket →

Opened on Mar 25, 2015 at 5:35:40 PM

Closed on Aug 24, 2015 at 9:16:57 AM

#8698 closed defect (duplicate)

Certificate Chain not displayed correctly in some cases

Reported by:	actionverb	Owned by:	dkocher
Priority:	normal	Milestone:	4.7.3
Component:	core	Version:	4.6.5
Severity:	normal	Keywords:
Cc:		Architecture:
Platform:

Description (last modified by actionverb)

In some circumstances, Cyberduck fails to display the complete certificate chain. I recently installed a certificate, and noticed that while Cyberduck accepts the certificate as valid and displays no errors when connecting to it, the pane revealed by clicking the lock icon only shows part of the chain. This happens for both DAV HTTPS connections as well as FTPS connections.

In most cases, it shows all but the last (most specific) certificate (see cert_issue1.png). In at least one case that I cannot seem to reproduce now, it showed only the root certificate (see cert_issue2.png). I confirmed that there is nothing hidden outside of the visible area.

With debug mode (Cyberduck Version 4.6.5 (17000) on OS X 10.10.2), I found the following entry:

Error adding certificate to Keychain

I have confirmed with the vendor that the certificate is valid and correctly installed, and it works properly in every other FTP app and browser I've tried. I tested the certificate chain manually with openssl s_client.

I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.

Attachments (4)

cert_issue1.png (139.3 KB) - added by actionverb on Mar 25, 2015 at 5:36:34 PM.: Panel showing entire cert chain except for the last.
cert_issue2.png (100.6 KB) - added by actionverb on Mar 25, 2015 at 5:36:59 PM.: Shows only the root certificate, not the rest of the chain
star.brickftp.com.cer (1.3 KB) - added by actionverb on Mar 25, 2015 at 5:45:21 PM.: The certificate in question
Screen Shot 2015-03-28 at 22.02.39.png (69.1 KB) - added by dkocher on Mar 28, 2015 at 9:03:18 PM.

Download all attachments as: .zip

Change History (16)

Changed on Mar 25, 2015 at 5:36:34 PM by actionverb

Attachment cert_issue1.png added

Panel showing entire cert chain except for the last.

Changed on Mar 25, 2015 at 5:36:59 PM by actionverb

Attachment cert_issue2.png added

Shows only the root certificate, not the rest of the chain

comment:1 Changed on Mar 25, 2015 at 5:37:42 PM by actionverb

Description modified (diff)

comment:2 Changed on Mar 25, 2015 at 5:39:21 PM by actionverb

Description modified (diff)

Changed on Mar 25, 2015 at 5:45:21 PM by actionverb

Attachment star.brickftp.com.cer added

The certificate in question

comment:3 in reply to: ↑ description Changed on Mar 27, 2015 at 10:26:38 PM by dkocher

Replying to actionverb:

I have also confirmed that the problem exists on Windows 8.1 with Cyberduck 4.6.5.

Can you confirm that you have seen the same issues with this certificate chain on Cyberduck for Windows.

comment:4 Changed on Mar 27, 2015 at 11:03:50 PM by actionverb

Confirmed, we only saw the root certificate when testing on Windows 8.1 with Cyberduck 4.6.5. I am happy to assist if there is any other information or testing needed.

comment:5 Changed on Mar 28, 2015 at 6:00:31 AM by dkocher

Component changed from interface to core
Milestone set to 4.7
Status changed from new to assigned

Changed on Mar 28, 2015 at 9:03:18 PM by dkocher

Attachment Screen Shot 2015-03-28 at 22.02.39.png added

comment:6 Changed on Mar 28, 2015 at 9:04:28 PM by dkocher

I am trying to reproduce this issue on OS X and get a complete chain displayed as returned by the server.

comment:7 Changed on Mar 28, 2015 at 9:06:28 PM by dkocher

Resolution set to worksforme
Status changed from assigned to closed

Can you try with a guest user account (that has no certificates added in the Keychain (on Mac) or Certificate Store (on Windows) that might interfere when building the trust chain. Please reopen with exact steps to reproduce if possible.