How to disable weak or medium SSL ciphers?

The Knowledgebase provides a database of answers to many Technical questions.
Post Reply
FTP
Site Admin
Posts: 2094
Joined: Tue Sep 29, 2009 6:09 am

How to disable weak or medium SSL ciphers?

Post by FTP »

If you failed a PCI Compliance scan, it doesn't matter, if you care about it, you can disable weak and medium SSL ciphers in Wing FTP Server, just enable FIPS 140-2 mode and disable TLS v1.0/TLS v1.1 under "Server > Settings > General Settings > Security", then Wing FTP Server will use the algorithms which be approved by the FIPS group (only allows strong SSL ciphers). And you can also enter the strongest cipher suites under "Server > Settings > General Settings > Security > OpenSSL Cipher Suites":

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Image

After you change this option, you need to restart the WingFTP service.

Now you can test the strength of the SSL ciphers again, you can test it with openssl tool, most Linux system will install openssl by default, Windows users can download it from here: https://slproweb.com/products/Win32OpenSSL.html


You can type the following commands to check whether the server supports weak or medium SSL ciphers:

Code: Select all

openssl s_client -connect mydomain.com:443 -cipher EXP:LOW
openssl s_client -connect mydomain.com:443 -cipher EXP:MEDIUM
If weak or medium SSL ciphers are not supported, you will get an error like this:

Code: Select all

CONNECTED(00000003)
140004449822376:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
Otherwise, you will get a result like this:

Code: Select all

CONNECTED(00000003)
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
Post Reply