Hi,
When I scan the ftps port of Wing FTP server for pci dss compliance, I get the following error : "SSL Server Supports Weak Encryption Vulnerability" with the following explanation :
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits
So I would like to know if it is possible to disable the use of some ciphers in ftps ? or of some key lengths ?
Regards,
Jean-Philippe
Low encryption ciphers
-
- Site Admin
- Posts: 2087
- Joined: Tue Sep 29, 2009 6:09 am
Re: Low encryption ciphers
Default SSL certificate is 1024-bit length, you can create self-signed cert by yourself for higher length, it supports 1024-bit, 2048-bit and 4096-bit.
-
- Posts: 2
- Joined: Tue Oct 05, 2010 2:16 pm
Re: Low encryption ciphers
I am not talking about the rsa certificate key but about the symetrics key used inside the ssl protocol.
For instance with tomcat to prevent it from using small symetrics key I select the folowing ciphers with this configuration lines :
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"
I want to do the same with wing ftp server.
Regards,
Jean-Philippe
For instance with tomcat to prevent it from using small symetrics key I select the folowing ciphers with this configuration lines :
sslProtocol="SSLv3"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
ITH_3DES_EDE_CBC_SHA"
I want to do the same with wing ftp server.
Regards,
Jean-Philippe
-
- Site Admin
- Posts: 2087
- Joined: Tue Sep 29, 2009 6:09 am
Re: Low encryption ciphers
Yes, I know. There is a global option to disable "SSLv2", but there is no option to disable "weak SSL cipher suites".
We use OPENSSL and it supports the following cipher suites:
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
The above cipher suites support weak - strong ciphers, so it can be compatible with most of client software.
And I think if you needn't care about the scanner's result so much, because the secure transfer also depends on the client software, if the client software uses strong cipher, the server will response with the same cipher.
BTW, if you want to make transfer more secure, just CHECK ON the global option "Disable SSLv2".
We use OPENSSL and it supports the following cipher suites:
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
The above cipher suites support weak - strong ciphers, so it can be compatible with most of client software.
And I think if you needn't care about the scanner's result so much, because the secure transfer also depends on the client software, if the client software uses strong cipher, the server will response with the same cipher.
BTW, if you want to make transfer more secure, just CHECK ON the global option "Disable SSLv2".
-
- Site Admin
- Posts: 2087
- Joined: Tue Sep 29, 2009 6:09 am
Re: Low encryption ciphers
Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
-
- Posts: 6
- Joined: Mon Nov 22, 2010 7:09 pm
Re: Low encryption ciphers
We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?
-
- Site Admin
- Posts: 2087
- Joined: Tue Sep 29, 2009 6:09 am
Re: Low encryption ciphers
Currently has no other method, but maybe we will consider it in the future version.
-
- Posts: 2
- Joined: Wed Dec 05, 2012 1:56 pm
Re: Low encryption ciphers
*bump* LOL
I was wondering if its possible to disable weak encryption keys in version 4.1.1.
After all its been 2 years ;)
Looking forward to your reply.
Thank you.
David
I was wondering if its possible to disable weak encryption keys in version 4.1.1.
After all its been 2 years ;)
Looking forward to your reply.
Thank you.
David
-
- Site Admin
- Posts: 2087
- Joined: Tue Sep 29, 2009 6:09 am
Re: Low encryption ciphers
Did you read the above posts?
Again, we support FIPS 140-2 too, you can open it by checking on global option "Enable FIPS 140-2 Mode", after checking on, you need to create the SSL certificate again.
-
- Posts: 2
- Joined: Wed Dec 05, 2012 1:56 pm
Re: Low encryption ciphers
We also need to be able to disable low and medium encryption ciphers. Will enabling FIPS 140-2 do that, or can you provide another method to do this?