Weak SSL Cipher support revisited
Moderator: Project members
-
- 500 Command not understood
- Posts: 2
- Joined: 2009-11-24 21:20
- First name: David
- Last name: Shpritz
Weak SSL Cipher support revisited
Hello,
Unfortunately I have customers which are required to go through PCI compliance scans. One of the more recent scans flagged the FileZilla server for weak SSL cipher support. Currently the server is running the latest version (0.9.33), so this means no SSLv2, however when testing (OpenSSL, perl and ServerSniff.net) I see the following:
DES-CBC-SHA -- 56 bits, Low Encryption
Which is being flagged by the scanning vendor. Are there plans to remove support for the 56-bit cipher or perhaps a workaround? I know PCI can be BS, but the customers doesn't really have a choice if they want to keep processing credit cards.
Thank you in advance,
Dave
Unfortunately I have customers which are required to go through PCI compliance scans. One of the more recent scans flagged the FileZilla server for weak SSL cipher support. Currently the server is running the latest version (0.9.33), so this means no SSLv2, however when testing (OpenSSL, perl and ServerSniff.net) I see the following:
DES-CBC-SHA -- 56 bits, Low Encryption
Which is being flagged by the scanning vendor. Are there plans to remove support for the 56-bit cipher or perhaps a workaround? I know PCI can be BS, but the customers doesn't really have a choice if they want to keep processing credit cards.
Thank you in advance,
Dave
Re: Weak SSL Cipher support revisited
I'm really interested in this concern. Thank you for leverage this question.
Sol
Sol
-
- 500 Command not understood
- Posts: 1
- Joined: 2009-11-30 14:14
- First name: Andreas
- Last name: Knutsson
Re: Weak SSL Cipher support revisited
Hi,
I have the same issue. Our company is PCI DSS certified and we would like to use Filezilla Server. We use Qualys as security scanner and this is the result:
Level 3 vulnerabilities is not allowed for PCI DSS compliance.
Best regards,
Andreas
I have the same issue. Our company is PCI DSS certified and we would like to use Filezilla Server. We use Qualys as security scanner and this is the result:
Level 3 vulnerabilities is not allowed for PCI DSS compliance.
Best regards,
Andreas
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-12-29 20:13
- First name: Andrew
- Last name: Savala
Re: Weak SSL Cipher support revisited
Having the same issue with Qualys saying our FileZilla server is using the following "WEAK Ciphers": DES-CBC-SHA and DES-CBC-SHA
Re: Weak SSL Cipher support revisited
These ciphers will be disabled in the next version of FileZilla Server. I thought had disabled them already by disallowing SSLv2, but somehow OpenSSL did still pull them in for some reason.
I sat down with the library and had a stern talk with it about ciphers.
I sat down with the library and had a stern talk with it about ciphers.
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-12-29 20:13
- First name: Andrew
- Last name: Savala
Re: Weak SSL Cipher support revisited
I really appreciate it, thanks. Does the next release have an estimated date by chance?
Re: Weak SSL Cipher support revisited
This year.
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-12-29 20:13
- First name: Andrew
- Last name: Savala
Re: Weak SSL Cipher support revisited
Excellent. Glad to hear I got in under the wire. Thanks again!
Re: Weak SSL Cipher support revisited
You have plenty of time --- or not?botg wrote:This year.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 2
- Joined: 2009-03-19 13:20
- First name: Jeff
- Last name: Carter
Re: Weak SSL Cipher support revisited
Thanks. Much appreciated here as well.
-
- 500 Command not understood
- Posts: 2
- Joined: 2009-11-24 21:20
- First name: David
- Last name: Shpritz
Re: Weak SSL Cipher support revisited
This is why I love open source. Thanks much!
Dave
Dave