How to disable weak or medium SSL ciphers?

The Knowledgebase provides a database of answers to many Technical questions.

How to disable weak or medium SSL ciphers?

Postby FTP » Mon Mar 18, 2013 5:39 am

If you failed a PCI Compliance scan, it doesn't matter, if you care about it, you can disable weak and medium SSL ciphers in Wing FTP Server, you just need to enable the option "Enable FIPS 140-2 mode" at "Server -> Settings -> General Settings". Then Wing FTP Server will use the algorithms which be approved by the FIPS group (only allows strong SSL ciphers).

Image

After you change this option, you need to re-generate the SSL certificate, and then choose the new generated SSL cert at "Domain -> Settings -> General Settings -> SSL Certificate", I suggest you choose 1024 bits key when creating the SSL certificate, because 2048 bits or 4096 bits key will take lots of CPU, and the transfer speed will be very slow.

Now you can test the strength of the SSL ciphers again, you can test it with openssl tool, most Linux system will install openssl by default, Windows users can download it from here:
http://slproweb.com/products/Win32OpenSSL.html


You can type the following commands to check whether the server supports weak or medium SSL ciphers:

Code: Select all
openssl s_client -connect mydomain.com:443 -cipher EXP:LOW
openssl s_client -connect mydomain.com:443 -cipher EXP:MEDIUM


If weak or medium SSL ciphers are not supported, you will get an error like this:

Code: Select all
CONNECTED(00000003)
140004449822376:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


Otherwise, you will get a result like this:

Code: Select all
CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
FTP
Site Admin
 
posts 1216
 
joined Tue Sep 29, 2009 6:09 am

Return to Knowledgebase

Who is online

Users browsing this forum: No registered users and 1 guest