Low encryption ciphers

Please post here if you have problems in using Wing FTP Server.
jphilippe
Posts: 2
Joined: Tue Oct 05, 2010 2:16 pm

Low encryption ciphers

Post by jphilippe »

Hi,

When I scan the ftps port of Wing FTP server for pci dss compliance, I get the following error : "SSL Server Supports Weak Encryption Vulnerability" with the following explanation :
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits

So I would like to know if it is possible to disable the use of some ciphers in ftps ? or of some key lengths ?

Regards,

Jean-Philippe
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Post by FTP »

Default SSL certificate is 1024-bit length, you can create self-signed cert by yourself for higher length, it supports 1024-bit, 2048-bit and 4096-bit.
jphilippe
Posts: 2
Joined: Tue Oct 05, 2010 2:16 pm

Re: Low encryption ciphers

Post by jphilippe »

I am not talking about the rsa certificate key but about the symetrics key used inside the ssl protocol.
For instance with tomcat to prevent it from using small symetrics key I select the folowing ciphers with this configuration lines :

sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"

I want to do the same with wing ftp server.

Regards,

Jean-Philippe
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Post by FTP »

Yes, I know. There is a global option to disable "SSLv2", but there is no option to disable "weak SSL cipher suites".
We use OPENSSL and it supports the following cipher suites:

SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA


The above cipher suites support weak - strong ciphers, so it can be compatible with most of client software.
And I think if you needn't care about the scanner's result so much, because the secure transfer also depends on the client software, if the client software uses strong cipher, the server will response with the same cipher.

BTW, if you want to make transfer more secure, just CHECK ON the global option "Disable SSLv2".
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Post by FTP »

Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
jbriscoe
Posts: 6
Joined: Mon Nov 22, 2010 7:09 pm

Re: Low encryption ciphers

Post by jbriscoe »

We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Post by FTP »

Currently has no other method, but maybe we will consider it in the future version.
itamsterdam
Posts: 2
Joined: Wed Dec 05, 2012 1:56 pm

Re: Low encryption ciphers

Post by itamsterdam »

*bump* LOL

I was wondering if its possible to disable weak encryption keys in version 4.1.1.
After all its been 2 years ;)

Looking forward to your reply.
Thank you.
David
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Post by FTP »

Did you read the above posts?
Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
itamsterdam
Posts: 2
Joined: Wed Dec 05, 2012 1:56 pm

Re: Low encryption ciphers

Post by itamsterdam »

We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?
Post Reply