Weak SSL Cipher support revisited

[dasfx]

Hello,
Unfortunately I have customers which are required to go through PCI compliance scans. One of the more recent scans flagged the FileZilla server for weak SSL cipher support. Currently the server is running the latest version (0.9.33), so this means no SSLv2, however when testing (OpenSSL, perl and ServerSniff.net) I see the following:
DES-CBC-SHA -- 56 bits, Low Encryption

Which is being flagged by the scanning vendor. Are there plans to remove support for the 56-bit cipher or perhaps a workaround? I know PCI can be BS, but the customers doesn't really have a choice if they want to keep processing credit cards.

Thank you in advance,

Dave

[Solido]

I'm really interested in this concern. Thank you for leverage this question.
Sol

[cyberknutte]

Hi,

I have the same issue. Our company is PCI DSS certified and we would like to use Filezilla Server. We use Qualys as security scanner and this is the result:




Level 3 vulnerabilities is not allowed for PCI DSS compliance.

Best regards,
Andreas

[redswimmer]

Having the same issue with Qualys saying our FileZilla server is using the following "WEAK Ciphers": DES-CBC-SHA and DES-CBC-SHA

[botg]

These ciphers will be disabled in the next version of FileZilla Server. I thought had disabled them already by disallowing SSLv2, but somehow OpenSSL did still pull them in for some reason.

I sat down with the library and had a stern talk with it about ciphers.

[redswimmer]

I really appreciate it, thanks. Does the next release have an estimated date by chance?

[botg]

This year.

[redswimmer]

Excellent. Glad to hear I got in under the wire. Thanks again!

[boco]

This year.

You have plenty of time --- or not?

[monorailpilot]

Thanks. Much appreciated here as well.

[dasfx]

This is why I love open source. Thanks much!

Dave