Wing FTP Software

We are using Wing FTP version 4.7.8. We recently had a security audit that dinged us on some weak SSH algorithms. Specifically, they called out the Cipher Block Chaining (CBC) mode encryption algorithms:
- aes256-cbc
- aes192-cbc
- aes128-cbc
- blowfish-cvc
- 3des-cbc
- des-cbc-ssh1

The security audit also complained about:
- hmac-sha1

Is there any way to disable these weaker algorithms in Wing FTP?

OK, please enable the option "Server -> Settings -> General Settings -> Enable FIPS 140-2 mode", then Wing FTP Server will use the algorithms which be approved by the FIPS group (only allows strong encryption ciphers).

I have the "Enable FIPS 140-2 Mode" checkbox checked, but I still see those weak ciphers.

If I run the command:
I get:

OK, it is designed to be compatible with some SFTP client, and there is no need to worry about the SFTP security, because the stronger algorithm has higher priority, so your SFTP client will choose the strongest algorithm if it supports that algorithm.

For compliance, we need the weaker ciphers disabled. I understand the client may negotiate high but the risk is related to weaker ciphers being available. How can we remove / disable? It seems like the UI solution recommended here doesn't affect the actual cipher list.

OK, you can specify the customized SFTP algorithms under "Server > Settings > General Settings > Security".

Hello FTP,

I believe we've done this. This is what we have listed in "Server > Settings > General Settings > Security > SFTP Encryption Algorithms" section:
aes256-ctr,aes192-ctr,aes128-ctr,des-cbc-ssh1

I restarted the services and the server but when I test, these are still available:
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc

v4.9.2 on Windows Server 2012

Thanks in advance for your help.

We have the same issue... We're on 4.9.2.

With the default SFTP encryptions settings the protocols reported (probed using nmap) are...

22/tcp open ssh

| ssh2-enum-algos:
| kex_algorithms: (4)
| curve25519-sha256@libssh.org" rel="nofollow" rel="nofollow
| ecdh-sha2-nistp256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (9)
| aes256-ctr
| aes192-ctr
| aes128-ctr
| aes256-cbc
| aes192-cbc
| aes128-cbc
| blowfish-cbc
| 3des-cbc
| des-cbc-ssh1
| mac_algorithms: (3)
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (3)
| none
| zlib
|_ zlib@openssh.com" rel="nofollow" rel="nofollow

After modifying the SFTP Encryption algos we're now getting...

22/tcp open ssh

| ssh2-enum-algos:
| kex_algorithms: (4)
| curve25519-sha256@libssh.org" rel="nofollow" rel="nofollow
| ecdh-sha2-nistp256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms_client_to_server: (9)
| aes256-ctr
| aes192-ctr
| aes128-ctr
| aes256-cbc
| aes192-cbc
| aes128-cbc
| blowfish-cbc
| 3des-cbc
| des-cbc-ssh1
| encryption_algorithms_server_to_client: (3)
| aes256-ctr
| aes192-ctr
| aes128-ctr
| mac_algorithms: (3)
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (3)
| none
| zlib
|_ zlib@openssh.com" rel="nofollow" rel="nofollow


So as you can see it has fixed the server to client ones, but the server still reports the client to server ones as including the CBC ones... Normally we can tie this down in the sshd_config file under ciphers to completely turn the CBC and 3DES ciphers off.

OK, you can set the SFTP encryption algorithms under "Server > Settings > General Settings > Security > SFTP Encryption Algorithms".

Hi, I have modified the settings there, but it only changes some of them, not all of them. A pen-test scan of the server still reports the CBC and 3DES algos as enabled which means it fails the test.