Page 1 of 2

Low encryption ciphers

Posted: Tue Oct 05, 2010 2:24 pm
by jphilippe
Hi,

When I scan the ftps port of Wing FTP server for pci dss compliance, I get the following error : "SSL Server Supports Weak Encryption Vulnerability" with the following explanation :
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits

So I would like to know if it is possible to disable the use of some ciphers in ftps ? or of some key lengths ?

Regards,

Jean-Philippe

Re: Low encryption ciphers

Posted: Tue Oct 05, 2010 2:32 pm
by FTP
Default SSL certificate is 1024-bit length, you can create self-signed cert by yourself for higher length, it supports 1024-bit, 2048-bit and 4096-bit.

Re: Low encryption ciphers

Posted: Wed Oct 06, 2010 9:26 am
by jphilippe
I am not talking about the rsa certificate key but about the symetrics key used inside the ssl protocol.
For instance with tomcat to prevent it from using small symetrics key I select the folowing ciphers with this configuration lines :

sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"

I want to do the same with wing ftp server.

Regards,

Jean-Philippe

Re: Low encryption ciphers

Posted: Thu Oct 07, 2010 6:33 am
by FTP
Yes, I know. There is a global option to disable "SSLv2", but there is no option to disable "weak SSL cipher suites".
We use OPENSSL and it supports the following cipher suites:

SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA


The above cipher suites support weak - strong ciphers, so it can be compatible with most of client software.
And I think if you needn't care about the scanner's result so much, because the secure transfer also depends on the client software, if the client software uses strong cipher, the server will response with the same cipher.

BTW, if you want to make transfer more secure, just CHECK ON the global option "Disable SSLv2".

Re: Low encryption ciphers

Posted: Thu Oct 07, 2010 8:56 am
by FTP
Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.

Re: Low encryption ciphers

Posted: Tue Nov 30, 2010 9:26 pm
by jbriscoe
We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?

Re: Low encryption ciphers

Posted: Wed Dec 01, 2010 3:28 am
by FTP
Currently has no other method, but maybe we will consider it in the future version.

Re: Low encryption ciphers

Posted: Wed Dec 05, 2012 1:58 pm
by itamsterdam
*bump* LOL

I was wondering if its possible to disable weak encryption keys in version 4.1.1.
After all its been 2 years ;)

Looking forward to your reply.
Thank you.
David

Re: Low encryption ciphers

Posted: Thu Dec 06, 2012 10:07 am
by FTP
Did you read the above posts?
Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.

Re: Low encryption ciphers

Posted: Thu Dec 06, 2012 10:19 am
by itamsterdam
We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?