search

tomohulk / WinSCP

WinSCP PowerShell Wrapper Module
GNU General Public License v3.0
153 stars 30 forks source link

TLS Host Certificate Fingerprint Format #139

Closed LeeWak98 closed 2 years ago

LeeWak98 commented 2 years ago

Please fill in the following fields, replacing the values inside the brackets {{ }}.

Issue Description

{{ Connecting to a third party FTPS server and unable to find the correct format for the WinSPC PS Module TlsHostCertificateFingerprint parameter. Connection is successful if I don't use the TlsHostCertificateFingerprint parameter and use the parameter -GiveUpSecurityAndAcceptAnyTlsHostCertificate instead, but I want to use the certificate fingerprint as confirmation of connection to right host for better security. I got the certificate fingerprint information from the WinSCP client connection settings 'Generate session URL/Code' section. Thanks. (The below certificate fingerprint isn't the actual one, but the format is the same in my script) }}

Example

{{ $session = New-WinSCPSession -SessionOption (New-WinSCPSessionOption -Hostname "AHostName" -Credential $credential -Protocol FTP -FtpSecure Implicit -TlsHostCertificateFingerprint "b4:8c:e1:de:33:24:3a:1e:ac:77:09:d5:f6:eb:cd:2d:46:c6:5d:45:fe:7c:3a:e0:1c:60:fe:e6:ff:2e:34:ba"). }}

Expected Output

{{ successful FTPS connection. }}

Actual Output

{{ New-WinSCPSessionOption : Exception setting "TlsHostCertificateFingerprint": "TLS host certificate fingerprint "b4:8c:e1:de:33:24:3a:1e:ac:77:09:d5:f6:eb:cd:2d:46:c6:5d:45:fe:7c:3a:e0:1c:60:fe:e6:ff:2e:34:ba" does not match pattern /([0-9a-fA-F]{2}[:-]){19}[0-9a-fA-F]{2}(;([0-9a-fA-F]{2}[:-]){19}[0-9a-fA-F]{2})*/" At line:4 char:50 }}

WinSCP-PowerShell Version

{{ 5.17.10.0 }}\

Environment

{{ Windows Server 2016, Powershell version 5.1.14393.5066, Unknow FTP server version as hosted elsewhere. }}

martinprikryl commented 2 years ago

The fingerprint is for SHA-256. You likely got it from the latest version of WinSCP GUI, which supports SHA-256. The WinSCP-PowerShell module was not updated to the latest version of WinSCP. And it does not support the SHA-256. You would have to use SHA-1 fingerprint.

LeeWak98 commented 2 years ago

Thanks for the response Martin. Unfortunately the certificate fingerprint is out of my control, it being a third party FTP server. I have had to drop using the the WinSCP-PowerShell module and am interacting with WinSCP .Net dll directly.

EG:

Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll" $sessionOptions = New-Object WinSCP.SessionOptions -Property @{ Protocol = [WinSCP.Protocol]::Ftp HostName = "AHostName" UserName = "Username" SecurePassword = Get-Content "Afile.pwd" | ConvertTo-SecureString FtpSecure = [WinSCP.FtpSecure]::Implicit TlsHostCertificateFingerprint = "b4:8c:e1🇩🇪33:24:3a:1e:ac:77:09:d5:f6:eb:dc:2d:46:c6:5d:45:fe:7c:3a:e0:1c:60:fe:e6:ff:2e:34:ba" } $session = New-Object WinSCP.Session $session.Open($sessionOptions) FTP Stuff here $session.Dispose()

Thanks for your assist anyway :-)

martinprikryl commented 2 years ago

I have meant that you should take SHA-1 fingerprint from the GUI and use it with the module. No need to change anything about the server's certificate.

Though using the latest version of WinSCP .NET assembly directly is good approach anyway.