SSL connect failure with client certificate authentication

Summary
-------
SmartFTP does not work with an FTPS server that optionally accepts
valid client certificates.

Detail
------
When the server requests a client certificate and SmartFTP doesn't have
a proper certificate, it sends a completely irrelevant self-signed
certificate:

Subject=/CN=Administrator/L=EFS/OU=EFS File Encryption Certificate
Issuer=/CN=Administrator/L=EFS/OU=EFS File Encryption Certificate

If the server is configured to request an optional client certificate,
the client should not send any certificate if it doesn't have an
appropriate one. SmartFTP, however, sends in the above bogus certificate,
lets the server to verify it and getting rejected instead.

Thanks,
Masato

Select the client certificate in the settings.

Connection->SSL

-Mat

Hi,

That is not the intension.

I'm testing an FTPS server (Orenosv) 's interoperability with various FTP over SSL clients regarding various client certificate authentication / mapping schemes.

One mode of operation is to "request but not require a valid client certificate". In this mode, the server admin should be able specify varying access policies based on whether the client has a valid certificate or not.

SSL/TLS spec states this specific behavior and SSL/TLS clients and servers should conform to it. Several HTTPS browsers in the past showed the same problem (can't connect to such an HTTPS server), but most of them fixed the bug in later versions.

Thanks
Masato

Hello ...
I don't see much of a problem here. SmartFTP sends the certificate you selected in the settings. You can also select no certificate and SmartFTP won't send anything. What do you recommend otherwise?
By default the default windows user certificate is selected because it works best for most users. We cannot expect all users to generate their own certificate when they want to connect to a SSL server which requests a cert. A lot of servers are requesting a client certificate and don't verify it. In this case it would make it impossible for the users to connect to these servers.

Thanks for sharing your suggestions with us. We used Orenosv to test the IPv6 interoperability with SmartFTP :-)

-Mat