How to disable support for the TLSv1.0 protocol for PCI Compliancy?

[Badaboom]

Hi folks,

I am having problem passing the PCI compliancy vulnerabilities scan on our servers because FileZilla Server (v0.9.50 and v0.9.43) supports the TLSv1.0 protocol and unfortunately the PCI Security Standards Council and National Institute of Standards and Technology have recently determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography!
I am not aware of any settings in FileZilla that would let me disable the TLSV1.0 protocol, does anyone know if/how that can be done, I see that back in 2012 darob100 opened a new feature ticket asking for this option but I don't think it was actioned? Without that option I’ll have no choice but to find an alternative to FileZilla server and that really sucks as FileZilla is a just great piece of software.
If anyone else is in the same boat as me that is using FileZilla server in merchants who accept credit cards environments, from what I can see that TLSv1.0 protocol no longer meeting the definition of strong cryptography decision is from the 15th of April 2015 so you’ll probably not be aware of that issue until it is flagged in your next PCI scan.
I’ve included below the report details for that issue and for anyone that it concerns the link to the document showing why the PCI council doesn't like TLSv1.0 anymore and what one should do about it.

Thanks.

1 TLSv1.0 Supported 5.00 Medium Fail Port: tcp/50000
This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer
meets the definition of strong cryptography.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: filezilla:filezilla

Reference:
https://www.pcisecuritystandards.org/do ... ent_v1.pdf
https://www.pcisecuritystandards.org/pd ... elease.pdf
https://www.trustwave.com/Resources/Spi ... =0&month=0

Evidence:
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : CAMELLIA256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : SEED-SHA
Cipher Suite: TLSv1 : CAMELLIA128-SHA
Cipher Suite: TLSv1 : IDEA-CBC-SHA

Remediation:
The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.

[d.larson]

Hello, I just thought I would chime in on this topic as well for the same reasons as the OP. My company recently ran a PCI compliance scan and it flagged FTP ports 21 and 990 for allowing TLS1.0. It would great if there was a way to disable TLS 1.0 on FZS.

I found this feature request from 2012. http://trac.filezilla-project.org/ticket/8059

[d.larson]

For those running across this thread, I figured I'd follow up here. The feature request I referenced in my last post as been accepted. There will be TLS settings in the next version of FZS. W00t!

In the next version of FileZilla Server you will be able to configure the minimum required TLS version via the "Minimum TLS version" entry in the settings file. Values 0, 1 and 2 are supported, corresponding to TLS 1.0, 1.1 and 1.2

The FileZilla team is great!

[Badaboom]

The FileZilla team is great!

I agree, that will great to have this option now to specify the minimun TLS version. Thanks guys.

[paule123]

I have just updated to 0.9.53 - I can't find this minimum TLS setting in the Filezilla Server.xml settings file... release notes for the previous version 0.9.52 says it's been implemented.

[botg]

Make sure to at least once change a setting in FileZilla Server, that results in an updated FileZilla Server.xml

[paule123]

Make sure to at least once change a setting in FileZilla Server, that results in an updated FileZilla Server.xml

Ok, I changed a setting and now see it at the bottom of the XML.

Code: Select all

 <Item name="Minimum TLS version" type="numeric">0</Item>

[jc_ryan]

I have made the changes in the XML file and I'm still getting dinged for allowing TLS 1.0 but only on port 990. Is there something else I should be doing?

Thanks.

nmap results:

Code: Select all

Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-02 10:19 Eastern Daylight Time
Nmap scan report for *************
Host is up (0.060s latency).
PORT    STATE SERVICE
990/tcp open  ftps
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL

[botg]

You didn't restart the server service.

[jc_ryan]

Indeed I did not. I thought I could lightning-bolt it on and off from the server interface window.

Thanks much.

[gvancott]

I have the FileZilla Client on my system (which does not have a web server) and I am getting the error in the Trustwave PCI scan described here. Can the FileZilla Client be the source of this problem?
Thanks,

Gary

[botg]

To my knowledge these scanners only ever test the server services, so the used client wouldn't have any impact.

When performing the scan, did the scan tool tell you to repeatedly connect using the FileZilla client to an address given to you by the scan software? If yes, the client got scanned. If not, only the server got scanned.

[KenSierra]

Can I double confirm that if we set "Minimum TLS version" to 2, Filezilla will only connect using TLS v1.2??

we are having PCI security issues :

990/tcp open ftps
| ssl-enum-ciphers:
| TLSv1.0:


Thanks

[botg]

Yes, if set to 2, the minimim TLS version used is 1.2

[KenSierra]

Thank you very much !!