weak results after an audit of https service

Please post here if you have problems in using Wing FTP Server.
Post Reply
axnav
Posts: 10
Joined: Thu May 19, 2016 10:11 am

weak results after an audit of https service

Post by axnav »

Dear support,

I tried an audit of our Wingftp HTTPS service with this service https://www.ssllabs.com/ssltest/" rel="nofollow" rel="nofollow" rel="nofollow" rel="nofollow" rel="nofollow.

With very bad results:

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.


I installed the latest release 4.7.8 and FIPS 140-2 Mode is activated.

I am missing the possibilities to configure/deactivate
SSL3, RC4 cipher, weak DH key exchange parameters.

We suppress with group policies that IE browser accepts ssl2.0 , ssl3.0 .

This is maybe the reason why we cant use IE for accessing to https wingftp service .

Image


IE 11 & edge doesnt support RC4 chiper anymore: https://support.microsoft.com/en-us/kb/3151631" rel="nofollow

Dueto we have in next weeks an IT-audit for IDW330 and ISO27000 we need a
solution really fast.

Kindly regards,

Michael
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: weak results after an audit of https service

Post by FTP »

When you enable the FIPS 140-2 mode, you need to restart the WingFTP service, did you do it?
axnav
Posts: 10
Joined: Thu May 19, 2016 10:11 am

Re: weak results after an audit of https service

Post by axnav »

Yes, I restarted the Wing FTP Service after setting this.

Image

Please make it possible to deactivate SSL3, RC4 and the weak DH !


Kindly regards,

michael
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: weak results after an audit of https service

Post by FTP »

OK, please stop the WingFTP service first, and then edit the file "Data/settings.xml", replace the following line:

<DisableSSLv3>0</DisableSSLv3>

into:

<DisableSSLv3>1</DisableSSLv3>
axnav
Posts: 10
Joined: Thu May 19, 2016 10:11 am

Re: weak results after an audit of https service

Post by axnav »

This line was already <DisableSSLv3>1</DisableSSLv3> , I didn't have to change it.

Kindly regards,

Michael
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: weak results after an audit of https service

Post by FTP »

Not possible, please send your server details (such as server address) via email.
axnav
Posts: 10
Joined: Thu May 19, 2016 10:11 am

Re: weak results after an audit of https service

Post by axnav »

Dear FTP,

thank you very much for your visit on my WingFTP server.

Your hint to find out the root of the wrong HTTP server header was right.

I did an heavy mistake and used the wrong external IP address.

After fixing this, the WingFTP Service reports the right header and ssllabs gives A Rating now.

Kindly regards,

michael
Post Reply