Control Cryptographic Protocols Used

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Control Cryptographic Protocols Used

#1 Post by sam_ok » 2020-01-17 03:51

Recent audit scan reported that Filezilla server allows SSL connection while TLSv1.2 is not used.

Is it the installed certificate issue or Filezilla server setting issue?

What I want to achieve are as follows:

1. Disable SSL 2.0 and 3.0. Use TLS 1.1 or higher.
2. SSL certificate signed using weak hashing algorithm.
3. SSL Medium Strength Cipher Suites supported (SWEET32). The remote service supports the use of medium strength SSL ciphers. Avoid the use of medium strength ciphers.
4. Configure SSL/TLS servers to only use TLS 1.1/1.2.
5. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers.
6. Disable the use of weak cipher suites
7. Disable the use of SSL Null cipher suites
8. Disable the use of SSL/TLS EXPORT_RSA <= 52-bit Cipher Suites Supported (FREAK)

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Control Cryptographic Protocols Used

#2 Post by sam_ok » 2020-01-17 06:26

When I searched on web, I found another ftp server product named 'Cerberus'. It is a paid product.

It has the following configuration pages which determine SSL/TLS protocols (e.g. enablement/disablement of SSLv3.0/TLSv1.0/TLSv1.1/TLSv1.2) used and ssh security setup (ciphers, mac and active key exchange choices).

Does the latest version of Filezilla server provide such facilities?
Attachments
server_manager_security_advanced_tls.jpg
server_manager_security_advanced_tls.jpg (70.41 KiB) Viewed 672 times
server_manager_protocol_ssh.jpg
server_manager_protocol_ssh.jpg (139.64 KiB) Viewed 672 times

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Control Cryptographic Protocols Used

#3 Post by sam_ok » 2020-01-17 07:18

The version we are using is 0.9.44 beta. Is the latest version compliant to TLSv1.2? Are there any options to block SSLv2.0/3.0 and TLSv1.0/1.1?

User avatar
botg
Site Admin
Posts: 32715
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Control Cryptographic Protocols Used

#4 Post by botg » 2020-01-17 08:37

You need to update to the most recent version of FileZilla Server, outdated versions do not receive any support.

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Control Cryptographic Protocols Used

#5 Post by sam_ok » 2020-01-17 10:19

I have just installed the latest version of FileZilla server to 0.9.60 beta. I performed testing on connecting to it with Filezilla client (latest version, 3.46.3).

At first I generated a self-signed certificate with the following parameters:
# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1825 -nodes

On 'FTP over TLS settings', key.pem was assigned to private key file while cert.pem as certificate file. I used FileZilla client to connect to it. When I clicked 'Quickconnect', it shows the certificate's details, like session details.

Under session details, the protocol is TLS1.2. It's great! But cipher is AES-256-GCM. Is it a weak cipher?

User avatar
boco
Contributor
Posts: 24967
Joined: 2006-05-01 03:28
Location: Germany

Re: Control Cryptographic Protocols Used

#6 Post by boco » 2020-01-17 13:38

To the best of my knowledge, it's a rather strong cipher, used widely (AES-256-CBC would be the weaker one).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply