Remove unsecure SHA1 ciphers

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Remy64
500 Command not understood
Posts: 2
Joined: 2021-03-15 23:00
First name: Remy
Last name: Masked

Remove unsecure SHA1 ciphers

#1 Post by Remy64 » 2021-03-15 23:08

Hello,

On last Filezilla server software (0.9.60.2 beta) there are unsecure ciphers accepted :

DHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-CAMELLIA128-SHA,DHE-RSA-CAMELLIA256-SHA,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA,AES128-SHA,AES256-SHA,CAMELLIA128-SHA,CAMELLIA256-SHA

There are unsecure because the MAC algorithm is SHA1 which is not secure anymore.

Could you please tell me how I can remove these ciphers ?

Thanks,

Best Regards

User avatar
botg
Site Admin
Posts: 33432
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Remove unsecure SHA1 ciphers

#2 Post by botg » 2021-03-16 08:23

There is currently no way to do this.

Remy64
500 Command not understood
Posts: 2
Joined: 2021-03-15 23:00
First name: Remy
Last name: Masked

Re: Remove unsecure SHA1 ciphers

#3 Post by Remy64 » 2021-03-16 20:51

Thanks for your quick answer.

Maybe I ask too much but is it possible to make a new version like 0.9.60.3 beta with exclusion of this kinds of ciphers by add !SHA to the line 1092 of the file AsyncSslSocketLayer.cpp ?

Like :

pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP:!SHA");

Instead of :

pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");

It's kindly request, you already developped application and I'm happy to use it for free.

If it's possible I'm will be more happy :D

Have a good day

Best Regards

User avatar
boco
Contributor
Posts: 25509
Joined: 2006-05-01 03:28
Location: Germany

Re: Remove unsecure SHA1 ciphers

#4 Post by boco » 2021-04-07 15:39

It is not possible to compile a new version of the old server code anymore. To my knowledge, it doesn't compile correctly anymore on a new compiler/linker.

However, there is a completely new server in the works.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply