I am having problem passing the PCI compliancy vulnerabilities scan on our servers because FileZilla Server (v0.9.50 and v0.9.43) supports the TLSv1.0 protocol and unfortunately the PCI Security Standards Council and National Institute of Standards and Technology have recently determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography!
I am not aware of any settings in FileZilla that would let me disable the TLSV1.0 protocol, does anyone know if/how that can be done, I see that back in 2012 darob100 opened a new feature ticket asking for this option but I don't think it was actioned? Without that option I’ll have no choice but to find an alternative to FileZilla server and that really sucks as FileZilla is a just great piece of software.
If anyone else is in the same boat as me that is using FileZilla server in merchants who accept credit cards environments, from what I can see that TLSv1.0 protocol no longer meeting the definition of strong cryptography decision is from the 15th of April 2015 so you’ll probably not be aware of that issue until it is flagged in your next PCI scan.
I’ve included below the report details for that issue and for anyone that it concerns the link to the document showing why the PCI council doesn't like TLSv1.0 anymore and what one should do about it.
Thanks.
1 TLSv1.0 Supported 5.00 Medium Fail Port: tcp/50000
This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer
meets the definition of strong cryptography.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: filezilla:filezilla
Reference:
https://www.pcisecuritystandards.org/do ... ent_v1.pdf
https://www.pcisecuritystandards.org/pd ... elease.pdf
https://www.trustwave.com/Resources/Spi ... =0&month=0
Evidence:
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : CAMELLIA256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : SEED-SHA
Cipher Suite: TLSv1 : CAMELLIA128-SHA
Cipher Suite: TLSv1 : IDEA-CBC-SHA
Remediation:
The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.