# Filezilla client SSL trust



## amnixed (Sep 30, 2019)

Gentlemen,

When connecting to my FreeBSD 12/pure-ftpd server, the Filezilla client correctly displays the installed Comodo wildcard certificate, but does not trust it. The .pem file in the pure-ftpd was concatenated as:

`cat server.key comodo.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > pure-ftpd.pem`

Talking to Comodo I was told that it isn't just Comodo SSL the Filezilla client does not trust, but the Filezilla client does not trust SSL certs from any CA (??)

Does anyone happen to have a pure-ftpd/Comodo SSL configuration trusted by the Filezilla client?


----------



## SirDice (Oct 1, 2019)

Is security/ca_root_nss installed?


----------



## amnixed (Oct 1, 2019)

Thank you for replying - Yes, SirDice, it's installed.

I don't see any clue in the Filezilla client log:


```
Status:    Connecting to 10.10.10.242:21...
Status:    Connection established, waiting for welcome message...
Trace:    CFtpControlSocket::OnReceive()
Response:    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:    [...]
Trace:    CFtpLogonOpData::ParseResponse() in state 1
Trace:    CControlSocket::SendNextCommand()
Trace:    CFtpLogonOpData::Send() in state 2
Command:    AUTH TLS
Trace:    CFtpControlSocket::OnReceive()
Response:    234 AUTH TLS OK.
Trace:    CFtpLogonOpData::ParseResponse() in state 2
Status:    Initializing TLS...
Trace:    CTlsSocketImpl::Handshake()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    TLS handshake: About to send CLIENT HELLO
Trace:    TLS handshake: Sent CLIENT HELLO
Trace:    CTlsSocketImpl::OnSend()
Trace:    CTlsSocketImpl::OnRead()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    CTlsSocketImpl::OnRead()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    TLS handshake: Received SERVER HELLO
Trace:    TLS handshake: Processed SERVER HELLO
Trace:    CTlsSocketImpl::OnRead()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    CTlsSocketImpl::OnRead()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    TLS handshake: Received CERTIFICATE
Trace:    TLS handshake: Processed CERTIFICATE
Trace:    TLS handshake: Received SERVER KEY EXCHANGE
Trace:    TLS handshake: Processed SERVER KEY EXCHANGE
Trace:    TLS handshake: Received SERVER HELLO DONE
Trace:    TLS handshake: Processed SERVER HELLO DONE
Trace:    TLS handshake: About to send CLIENT KEY EXCHANGE
Trace:    TLS handshake: Sent CLIENT KEY EXCHANGE
Trace:    TLS handshake: About to send FINISHED
Trace:    TLS handshake: Sent FINISHED
Trace:    CTlsSocketImpl::OnRead()
Trace:    CTlsSocketImpl::ContinueHandshake()
Trace:    TLS handshake: Received NEW SESSION TICKET
Trace:    TLS handshake: Processed NEW SESSION TICKET
Trace:    TLS handshake: Received FINISHED
Trace:    TLS handshake: Processed FINISHED
Trace:    TLS Handshake successful
Trace:    Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: CHACHA20-POLY1305, MAC: AEAD
Status:    Verifying certificate...
Error:    Remote certificate not trusted.
```


----------



## SirDice (Oct 1, 2019)

I meant to ask if it was installed on the client. The package contains the CA root certificates you need in order to verify registered SSL certificates.


----------



## amnixed (Oct 3, 2019)

SirDice, it is installed. I was told on the FileZilla board that FileZilla employs the "Trust On First Use" model.

Thanks for your help!


----------

