Hello,
On last Filezilla server software (0.9.60.2 beta) there are unsecure ciphers accepted :
DHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-CAMELLIA128-SHA,DHE-RSA-CAMELLIA256-SHA,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA,AES128-SHA,AES256-SHA,CAMELLIA128-SHA,CAMELLIA256-SHA
There are unsecure because the MAC algorithm is SHA1 which is not secure anymore.
Could you please tell me how I can remove these ciphers ?
Thanks,
Best Regards
Remove unsecure SHA1 ciphers
Moderator: Project members
Re: Remove unsecure SHA1 ciphers
There is currently no way to do this.
-
- 500 Command not understood
- Posts: 3
- Joined: 2021-03-15 23:00
- First name: Remy
- Last name: Masked
Re: Remove unsecure SHA1 ciphers
Thanks for your quick answer.
Maybe I ask too much but is it possible to make a new version like 0.9.60.3 beta with exclusion of this kinds of ciphers by add !SHA to the line 1092 of the file AsyncSslSocketLayer.cpp ?
Like :
pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP:!SHA");
Instead of :
pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");
It's kindly request, you already developped application and I'm happy to use it for free.
If it's possible I'm will be more happy
Have a good day
Best Regards
Maybe I ask too much but is it possible to make a new version like 0.9.60.3 beta with exclusion of this kinds of ciphers by add !SHA to the line 1092 of the file AsyncSslSocketLayer.cpp ?
Like :
pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP:!SHA");
Instead of :
pSSL_set_cipher_list(m_ssl, "DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");
It's kindly request, you already developped application and I'm happy to use it for free.
If it's possible I'm will be more happy
Have a good day
Best Regards
Re: Remove unsecure SHA1 ciphers
It is not possible to compile a new version of the old server code anymore. To my knowledge, it doesn't compile correctly anymore on a new compiler/linker.
However, there is a completely new server in the works.
However, there is a completely new server in the works.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 3
- Joined: 2021-03-15 23:00
- First name: Remy
- Last name: Masked
Re: Remove unsecure SHA1 ciphers
Hello,
I see that you post RC3 of new filezillaServer.
I installed it and pass security test on it, the result is there is still unsafe ciphers autorized SHA1 and CBC on TLS 1.2 and unsafe protocols activated TLSv1.0.
Complete list :
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - Unsafe
| compressors:
| NULL
| cipher preference: client
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - Safe
More details in https://ciphersuite.info website.
Is it possible to remove unsafe protocols/ciphers ?
I didn't found new source code and new compilation procedure so I can't help you more on this point (but If you need please tell me)
Have a good day
I see that you post RC3 of new filezillaServer.
I installed it and pass security test on it, the result is there is still unsafe ciphers autorized SHA1 and CBC on TLS 1.2 and unsafe protocols activated TLSv1.0.
Complete list :
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - Unsafe
| compressors:
| NULL
| cipher preference: client
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - Unsafe
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - Safe
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - Safe
More details in https://ciphersuite.info website.
Is it possible to remove unsafe protocols/ciphers ?
I didn't found new source code and new compilation procedure so I can't help you more on this point (but If you need please tell me)
Have a good day
Re: Remove unsecure SHA1 ciphers
Hi Remy64, it's one of the developers speaking here.
Next FileZilla Server release will impose a lower limit to the TLS version, setting it to v1.2. The Admin UI will let that limit be increased to v1.3, if the admin so desires. This should solve most of the issue you raised, leaving only two of the v1.2 ciphers you tagged as "unsafe" in the way.
After an internal discussion, it was decided that the v1.2 lower limit shall be enough for the time being.
Next FileZilla Server release will impose a lower limit to the TLS version, setting it to v1.2. The Admin UI will let that limit be increased to v1.3, if the admin so desires. This should solve most of the issue you raised, leaving only two of the v1.2 ciphers you tagged as "unsafe" in the way.
After an internal discussion, it was decided that the v1.2 lower limit shall be enough for the time being.