Low encryption ciphers

Please post here if you have problems in using Wing FTP Server.

Low encryption ciphers

Postby jphilippe » Tue Oct 05, 2010 2:24 pm

Hi,

When I scan the ftps port of Wing FTP server for pci dss compliance, I get the following error : "SSL Server Supports Weak Encryption Vulnerability" with the following explanation :
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits

So I would like to know if it is possible to disable the use of some ciphers in ftps ? or of some key lengths ?

Regards,

Jean-Philippe
jphilippe
 
posts 2
 
joined Tue Oct 05, 2010 2:16 pm

Re: Low encryption ciphers

Postby FTP » Tue Oct 05, 2010 2:32 pm

Default SSL certificate is 1024-bit length, you can create self-signed cert by yourself for higher length, it supports 1024-bit, 2048-bit and 4096-bit.
FTP
Site Admin
 
posts 1226
 
joined Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Postby jphilippe » Wed Oct 06, 2010 9:26 am

I am not talking about the rsa certificate key but about the symetrics key used inside the ssl protocol.
For instance with tomcat to prevent it from using small symetrics key I select the folowing ciphers with this configuration lines :

sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"

I want to do the same with wing ftp server.

Regards,

Jean-Philippe
jphilippe
 
posts 2
 
joined Tue Oct 05, 2010 2:16 pm

Re: Low encryption ciphers

Postby FTP » Thu Oct 07, 2010 6:33 am

Yes, I know. There is a global option to disable "SSLv2", but there is no option to disable "weak SSL cipher suites".
We use OPENSSL and it supports the following cipher suites:

SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA


The above cipher suites support weak - strong ciphers, so it can be compatible with most of client software.
And I think if you needn't care about the scanner's result so much, because the secure transfer also depends on the client software, if the client software uses strong cipher, the server will response with the same cipher.

BTW, if you want to make transfer more secure, just CHECK ON the global option "Disable SSLv2".
FTP
Site Admin
 
posts 1226
 
joined Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Postby FTP » Thu Oct 07, 2010 8:56 am

Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
FTP
Site Admin
 
posts 1226
 
joined Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Postby jbriscoe » Tue Nov 30, 2010 9:26 pm

We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?
jbriscoe
 
posts 6
 
joined Mon Nov 22, 2010 7:09 pm

Re: Low encryption ciphers

Postby FTP » Wed Dec 01, 2010 3:28 am

Currently has no other method, but maybe we will consider it in the future version.
FTP
Site Admin
 
posts 1226
 
joined Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Postby itamsterdam » Wed Dec 05, 2012 1:58 pm

*bump* LOL

I was wondering if its possible to disable weak encryption keys in version 4.1.1.
After all its been 2 years ;)

Looking forward to your reply.
Thank you.
David
itamsterdam
 
posts 2
 
joined Wed Dec 05, 2012 1:56 pm

Re: Low encryption ciphers

Postby FTP » Thu Dec 06, 2012 10:07 am

Did you read the above posts?

Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
FTP
Site Admin
 
posts 1226
 
joined Tue Sep 29, 2009 6:09 am

Re: Low encryption ciphers

Postby itamsterdam » Thu Dec 06, 2012 10:19 am

We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?
itamsterdam
 
posts 2
 
joined Wed Dec 05, 2012 1:56 pm

Next

Return to Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron