Indy FTP server TLS error (cert expired) Question for Remy

[snorkel]

Hi,
We use a cert that is really issued to a web server and it expired today and raised this error:

FTP server error:(199.38.140.85:60659)(EIdOSSLUnderlyingCryptoError)Error accepting connection with SSL.
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

We don't care if the cert is expired and would like to send a email message that it has expired but still allow the connections.

I don't know if it's possible or not.

We only use the cert and key for encryption not for identifying the server as it actually does not have a domain name and is used internally for Mainframe transmissions.
The mainframe FTP client does not care about the identity or if the cert is expired.

 

[Remy Lebeau]

We use a cert that is really issued to a web server and it expired today and raised this error:

FTP server error:(199.38.140.85:60659)(EIdOSSLUnderlyingCryptoError)Error accepting connection with SSL.
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
We don't care if the cert is expired and would like to send a email message that it has expired but still allow the connections.

Is this error being raised on the *client* side or the *server* side?

Either way, try setting the SSLIOHandler's VerifyPeer property to true, and then in the OnVerifyPeer event you can check the peer's certificate and return true/false as needed.  Even if the certificate is invalid, you can opt to accept it.

We only use the cert and key for encryption not for identifying the server as it actually does not have a domain name and is used internally for Mainframe transmissions.

You don't need a domain name to use a certificate for identification.  You can use an IP address or wildcard instead.

The mainframe FTP client does not care about the identity or if the cert is expired.

Then it shouldn't be validating the server's certificate at all.