Disabling Weak Ciphers - Windows version

Please post here if you have problems in using Wing FTP Server.
Post Reply
GMHayes
Posts: 2
Joined: Tue Nov 09, 2021 4:47 pm

Disabling Weak Ciphers - Windows version

Post by GMHayes »

Is there any update to the article on disabling weak ciphers? The article is from 2013. I am trying to disable weak ciphers for our upcoming SOC audit. I have disabled TLS 1.0 and 1,1, enable FIPS mode and set the cipher list to default. But a test still shows several weak ciphers enabled.

Is there another article I am missing which shows the syntax for actually specifying the ciphers which will be enabled, and what ciphers are supported?
FTP
Site Admin
Posts: 1918
Joined: Tue Sep 29, 2009 6:09 am

Re: Disabling Weak Ciphers - Windows version

Post by FTP »

The recommended OpenSSL ciphers is:

Code: Select all

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
I think those ciphers have no problem for HTTPS/FTPS, do you mean the ciphers for SFTP(SSH) protocol? If so, you may use the following ciphers/algorithms:

SFTP Key Exchange Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

SFTP Encryption Algorithms: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305@openssh.com

SFTP MAC Algorithms: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
GMHayes
Posts: 2
Joined: Tue Nov 09, 2021 4:47 pm

Re: Disabling Weak Ciphers - Windows version

Post by GMHayes »

My apologies for not being more specific. Yes, I was referring to the OpenSSL ciphers. I applied your suggested list and that seems to have done the trick as far as the test results. Thank you very much!

Is there someplace that I missed where the exact syntax of those selections is documented? I tried to cobble something like that together on my own from the cipher list shown in an IISCrypto scan and the SSL Labs server test site, but things didn't match up.
FTP
Site Admin
Posts: 1918
Joined: Tue Sep 29, 2009 6:09 am

Re: Disabling Weak Ciphers - Windows version

Post by FTP »

You may take a look at this cipher suite table, just check the green (Modern) ciphers for OpenSSL:
https://wiki.mozilla.org/Security/Ciphe ... patibility" rel="nofollow
Post Reply