FileZilla reporting "GnuTLS error -48: Key usage violation in certificate has been detected"

ftp ssl filezilla
11,939

Solution 1

Please refer to this post on Filezilla Forum : https://forum.filezilla-project.org/viewtopic.php?t=42790

Solution 2

This is a server-side issue, and it did not appear previously because earlier versions of FileZilla shipped with a GnuTLS version that didn't make this check.

Quoting Tim Kosse's post in the FileZilla forum thread:

In any case, the problem is with your server's X.509 certificate chain: Either the server certificate itself or another certificate in the chain has a key usage restriction that is violated. For example a certificate with a key usage restriction to signing cannot be used to authenticate TLS connections. See section 4.2.1.3 of RFC 5280.

This is a problem with the certificate generation of Microsoft IIS (but may also happen if you incorrectly generated a certificate with another method), as it does not allow the certificates to be used for digital signatures. OpenSSL is much more relaxed about this and won't fail because of it, so it may work with other apps.

On the client side, you can either disable TLS, downgrade to an earlier version of FileZilla (neither of these is recommended due to potential security risks), or use a different client which uses another library such as OpenSSL for now.

How to generate a valid certificate with IIS

This needs to be done on the server side, obviously. If you aren't the admin, forward these instructions to them.

According to a post in the IIS forums, you can generate the certificate with PowerShell instead until the issue is fixed by Microsoft:

New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -dnsname ftp.example.com

Replace ftp.example.com by your server's hostname.

You will get a fingerprint, copy that. Set a password for the private key:

$password = ConvertTo-SecureString -String "password goes here" -Force -AsPlainText

Now export it (you can change C:\cert.pfx to the path you want to save it to, just make sure it ends in .pfx):

Export-PfxCertificate -cert cert:\LocalMachine\My\FINGERPRINT -FilePath C:\cert.pfx -Password $password
Share:
11,939
Sandy Gettings
Author by

Sandy Gettings

Updated on September 18, 2022

Comments

  • Sandy Gettings
    Sandy Gettings over 1 year

    I get the following error when connecting to our server:

    GnuTLS error -48: Key usage violation in certificate has been detected. Could not connect to server

    This problem appeared after upgrading to Filezilla v3.24.0 for Windows on a PC running Windows 10 Pro with all updates. The Mac version (also v3.24.0) works normally with no error. No changes have been made to the server recently.

    Connection info: Protocol: FTP - File Transfer Protocol Encryption: Require explicit FTP over TLS Login Type: Ask for password

    Ftptest.net tested against our server does not show any related issues. Plain FTP (unencrypted) works, but that's not a good idea. I could not find a solution to this problem on Google. Any suggestions?

  • Ravindra Bawane
    Ravindra Bawane over 7 years
    Links can change and expire and therefore are not good answers. Copy the relevant information into an answer and include the link as reference and you will have a much better answer that will continue to be valuable even if the link itself ceases to function.
  • Sandy Gettings
    Sandy Gettings almost 7 years
    OP here. I'm flattered that the post you lied to was my conversation with the Filezilla folks. The problem is fixed. See my recent comments in the original post above.
  • lloyd
    lloyd about 5 years
    The newer version of New-SelfSignedCertificate has a flag -KeyExportPolicy Exportable which you might need to set to export it. See MS Documentation
  • smoothumut
    smoothumut about 3 years
    thanks a lot for great instructions

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Received TLS alert from the server: Handshake failed (40)
Can not connect via FTP over explicit TLS/SSL
FileZilla stuck at Initializing TLS
Connecting to FTPS (FTP over SSL) with FluentFTP
FtpWebRequest "The remote certificate is invalid according to the validation procedure"
Is an FTP error (503 Bad sequence of commands) the result of a client issue or a server issue
FTP over SSL for C#
WebRequest using SSL
How can I CHMOD files/directories on Windows Azure?
FTP file into docker container on remote server