Disabling Weak Ciphers - Windows version

Please post here if you have problems in using Wing FTP Server.

Disabling Weak Ciphers - Windows version

Postby GMHayes » Tue Nov 09, 2021 4:59 pm

Is there any update to the article on disabling weak ciphers? The article is from 2013. I am trying to disable weak ciphers for our upcoming SOC audit. I have disabled TLS 1.0 and 1,1, enable FIPS mode and set the cipher list to default. But a test still shows several weak ciphers enabled.

Is there another article I am missing which shows the syntax for actually specifying the ciphers which will be enabled, and what ciphers are supported?
GMHayes
 
2
 
Tue Nov 09, 2021 4:47 pm

Re: Disabling Weak Ciphers - Windows version

Postby FTP » Wed Nov 10, 2021 3:42 pm

The recommended OpenSSL ciphers is:
Code: Select all
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305


I think those ciphers have no problem for HTTPS/FTPS, do you mean the ciphers for SFTP(SSH) protocol? If so, you may use the following ciphers/algorithms:

SFTP Key Exchange Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

SFTP Encryption Algorithms: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305@openssh.com

SFTP MAC Algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
FTP
Site Admin
 
1885
 
Tue Sep 29, 2009 6:09 am

Re: Disabling Weak Ciphers - Windows version

Postby GMHayes » Wed Nov 10, 2021 4:17 pm

My apologies for not being more specific. Yes, I was referring to the OpenSSL ciphers. I applied your suggested list and that seems to have done the trick as far as the test results. Thank you very much!

Is there someplace that I missed where the exact syntax of those selections is documented? I tried to cobble something like that together on my own from the cipher list shown in an IISCrypto scan and the SSL Labs server test site, but things didn't match up.
GMHayes
 
2
 
Tue Nov 09, 2021 4:47 pm

Re: Disabling Weak Ciphers - Windows version

Postby FTP » Wed Nov 10, 2021 4:30 pm

You may take a look at this cipher suite table, just check the green (Modern) ciphers for OpenSSL:
https://wiki.mozilla.org/Security/Cipher_Suites#Modern_compatibility
FTP
Site Admin
 
1885
 
Tue Sep 29, 2009 6:09 am


Return to Support

Who is online

Users browsing this forum: No registered users and 3 guests