x
Yes No
Do you want to visit DriveHQ English website?
Forum Index \ DriveHQ Customer Support Forum \
Reply
Read/Reply : 45468/9

Hi, is there any way I can verify DriveHQ's SSL certificate upon connecting to my personal folder using FileZilla? FileZilla prompts me with a message that tells me to check if the key written on the window is the same as the one received from the hosting provider. Could you tell me where to find it?


5/30/2020 2:33:10 PM

I guess you use FTP over TLS, which is the default protocol used by FileZilla. Dependent on your FileZilla version, it may or may not display a SSL security dialog. If it does, verify the info as highlighted in the following screenshot:

You can see the Protocol is TLS1.2 (SSL 256); and the certificate's common name matches drivehq.com domain name. To avoid seeing this dialog again, you can choose to trust it. 

 

If you are already connected, you can click the lock icon at the bottom-right corner of FileZilla window. Please see the screenshot below. It will display the above SSL certificate dialog:

 


Reply
5/30/2020 3:35:14 PM

Hi, I get that same exact SSL dialog, but it says that I have to verify a key, not a domain name. Maybe I should verify that "ECDHE-X25519-RSA-SHA256" (Session details ---> Key exchange) is the actual key.


Reply
5/30/2020 3:42:23 PM

I tested with the latest version of FileZilla, it does not display any SSL security/certificate dialog or the dialog you mentioned above. Are you using FTP over TLS, or SFTP?

Please send a screenshot showing the problem to DriveHQ support. (or you can post it here)


Reply
5/30/2020 5:07:06 PM

I'm using FTP over TLS.

This is the dialog that I get:

I think that I have to verify one of the underlined keys.


Reply
5/31/2020 12:24:25 AM

At the very top of the dialog it says that I have to compare the displayed fingerprint with the certificate fingerprint I have received from my hosting provider (which is you). Could you tell me where to find your certificate's fingerprint so I can compare it before hitting "OK"?


Reply
5/31/2020 12:36:32 AM

According to FileZilla's official support message:

https://forum.filezilla-project.org/viewtopic.php?t=45670

FileZilla doesn't use the OS certificate store, instead it uses "the TOFU model (TOFU = Trust On First Use)". I quote the message below:

Re: The server's certificate is unknown. Please carefully examine the certificate to make sure the server can be trusted

#2 Post by boco » 2017-06-21 21:17

It is neither an error nor a problem. FileZilla just doesn't use the OS certificate store (which might become compromised), instead, it follows the TOFU model (TOFU = Trust On First Use).

That means, at least upon first contact to every new server, you will get that popup, to carefully check and verify the certificate. If you trust it, click the button (+check the box for permanent trust). With permanent trust, you won't be bothered again for that exact certificate until it expires.


So it is not a problem in general, you can ignore it unless you have very high security requirement. If so, you can use DriveHQ FileManager client software or use other FTP client. ( You don't really need to verify certificate fingerprint as it is a public certificate verified by Certificate Authority; web browsers and other FTP client programs don't usually do that. You just need to verify the certificate common name matching the FTP server name ).

BTW, on my Windows 10 with the latest version FileZilla, I don't see this certificate dialog. Do you use the latest version FileZilla on Windows 10?

 

 


Reply
6/1/2020 12:12:56 PM

I get that I will only get the popup once. I get that it's not a problem. I'd just like to know where I can find your certificate's fingerprint. That's all.

Regarding FileZilla, I've updated it a week ago and I'm running the latest version of Windows 10.


Reply
6/3/2020 1:21:17 PM

In our first reply, you can see the SSL certificate finger print in the screenshot; you uploaded your screenshot, the finger prints do match. I don't think you need to verify "Key Exchange". The most important thing is to verify the common name matching with the FTP server name (and the certificate has not expired). 

 


Reply
6/3/2020 5:41:30 PM

I've just found a tool on GlobalSign's website that allows me to verify any TLS certificate. It was very well hidden. Thank you for your time.


Reply
6/4/2020 12:24:27 AM

Quickly Reply
Top

Please logon and reply, Not DriveHQ Member?