Is it possible to disable certain ciphers?
Looking to disable IDEA-CBC-SHA, RC4-SHA, RC4-MD5, RC4-MD5.
Disable certain Ciphers
Moderator: Project members
Re: Disable certian Ciphers
Client or server?
Of the ones you listed, the client only support RC4-SHA1, the others are already disabled.
The server currently has no way to specify which ciphers to use. Right now I don't even know whether it supports RC4 or IDEA.
Of the ones you listed, the client only support RC4-SHA1, the others are already disabled.
The server currently has no way to specify which ciphers to use. Right now I don't even know whether it supports RC4 or IDEA.
-
- 500 Command not understood
- Posts: 2
- Joined: 2014-07-17 15:31
- First name: Chris
- Last name: Kelly
Re: Disable certian Ciphers
We have a client that is requesting that they be disabled for security reasons. They come up on his scan as open, his scan results are listed below. any idea why they would be listed then.
Here is the full output:
Testing ECDHE-RSA-AES256-GCM-SHA384...NONE
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NONE
Testing ECDHE-RSA-AES256-SHA384...NONE
Testing ECDHE-ECDSA-AES256-SHA384...NONE Testing ECDHE-RSA-AES256-SHA...NONE Testing ECDHE-ECDSA-AES256-SHA...NONE Testing SRP-DSS-AES-256-CBC-SHA...NONE Testing SRP-RSA-AES-256-CBC-SHA...NONE Testing DHE-DSS-AES256-GCM-SHA384...NONE Testing DHE-RSA-AES256-GCM-SHA384...NONE Testing DHE-RSA-AES256-SHA256...NONE Testing DHE-DSS-AES256-SHA256...NONE Testing DHE-RSA-AES256-SHA...NONE Testing DHE-DSS-AES256-SHA...NONE Testing DHE-RSA-CAMELLIA256-SHA...NONE Testing DHE-DSS-CAMELLIA256-SHA...NONE Testing AECDH-AES256-SHA...NONE Testing SRP-AES-256-CBC-SHA...NONE Testing ADH-AES256-GCM-SHA384...NONE Testing ADH-AES256-SHA256...NONE Testing ADH-AES256-SHA...NONE Testing ADH-CAMELLIA256-SHA...NONE Testing ECDH-RSA-AES256-GCM-SHA384...NONE Testing ECDH-ECDSA-AES256-GCM-SHA384...NONE
Testing ECDH-RSA-AES256-SHA384...NONE
Testing ECDH-ECDSA-AES256-SHA384...NONE
Testing ECDH-RSA-AES256-SHA...NONE
Testing ECDH-ECDSA-AES256-SHA...NONE
Testing AES256-GCM-SHA384...NONE
Testing AES256-SHA256...NONE
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NONE
Testing PSK-AES256-CBC-SHA...NONE
Testing ECDHE-RSA-DES-CBC3-SHA...NONE
Testing ECDHE-ECDSA-DES-CBC3-SHA...NONE
Testing SRP-DSS-3DES-EDE-CBC-SHA...NONE
Testing SRP-RSA-3DES-EDE-CBC-SHA...NONE
Testing EDH-RSA-DES-CBC3-SHA...NONE
Testing EDH-DSS-DES-CBC3-SHA...NONE
Testing AECDH-DES-CBC3-SHA...NONE
Testing SRP-3DES-EDE-CBC-SHA...NONE
Testing ADH-DES-CBC3-SHA...NONE
Testing ECDH-RSA-DES-CBC3-SHA...NONE
Testing ECDH-ECDSA-DES-CBC3-SHA...NONE
Testing DES-CBC3-SHA...YES
Testing DES-CBC3-MD5...NONE
Testing PSK-3DES-EDE-CBC-SHA...NONE
Testing ECDHE-RSA-AES128-GCM-SHA256...NONE
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NONE
Testing ECDHE-RSA-AES128-SHA256...NONE
Testing ECDHE-ECDSA-AES128-SHA256...NONE Testing ECDHE-RSA-AES128-SHA...NONE Testing ECDHE-ECDSA-AES128-SHA...NONE Testing SRP-DSS-AES-128-CBC-SHA...NONE Testing SRP-RSA-AES-128-CBC-SHA...NONE Testing DHE-DSS-AES128-GCM-SHA256...NONE Testing DHE-RSA-AES128-GCM-SHA256...NONE Testing DHE-RSA-AES128-SHA256...NONE Testing DHE-DSS-AES128-SHA256...NONE Testing DHE-RSA-AES128-SHA...NONE Testing DHE-DSS-AES128-SHA...NONE Testing DHE-RSA-SEED-SHA...NONE Testing DHE-DSS-SEED-SHA...NONE Testing DHE-RSA-CAMELLIA128-SHA...NONE Testing DHE-DSS-CAMELLIA128-SHA...NONE Testing AECDH-AES128-SHA...NONE Testing SRP-AES-128-CBC-SHA...NONE Testing ADH-AES128-GCM-SHA256...NONE Testing ADH-AES128-SHA256...NONE Testing ADH-AES128-SHA...NONE Testing ADH-SEED-SHA...NONE Testing ADH-CAMELLIA128-SHA...NONE Testing ECDH-RSA-AES128-GCM-SHA256...NONE Testing ECDH-ECDSA-AES128-GCM-SHA256...NONE
Testing ECDH-RSA-AES128-SHA256...NONE
Testing ECDH-ECDSA-AES128-SHA256...NONE
Testing ECDH-RSA-AES128-SHA...NONE
Testing ECDH-ECDSA-AES128-SHA...NONE
Testing AES128-GCM-SHA256...NONE
Testing AES128-SHA256...NONE
Testing AES128-SHA...YES
Testing SEED-SHA...NONE
Testing CAMELLIA128-SHA...NONE
Testing IDEA-CBC-SHA...YES
Testing IDEA-CBC-MD5...NONE
Testing RC2-CBC-MD5...NONE
Testing PSK-AES128-CBC-SHA...NONE
Testing ECDHE-RSA-RC4-SHA...NONE
Testing ECDHE-ECDSA-RC4-SHA...NONE
Testing AECDH-RC4-SHA...NONE
Testing ADH-RC4-MD5...NONE
Testing ECDH-RSA-RC4-SHA...NONE
Testing ECDH-ECDSA-RC4-SHA...NONE
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing RC4-MD5...YES
Testing PSK-RC4-SHA...NONE
Testing EDH-RSA-DES-CBC-SHA...NONE
Testing EDH-DSS-DES-CBC-SHA...NONE
Testing ADH-DES-CBC-SHA...NONE
Testing DES-CBC-SHA...NONE
Testing DES-CBC-MD5...NONE
Testing EXP-EDH-RSA-DES-CBC-SHA...NONE
Testing EXP-EDH-DSS-DES-CBC-SHA...NONE
Testing EXP-ADH-DES-CBC-SHA...NONE
Testing EXP-DES-CBC-SHA...NONE
Testing EXP-RC2-CBC-MD5...NONE
Testing EXP-RC2-CBC-MD5...NONE
Testing EXP-ADH-RC4-MD5...NONE
Testing EXP-RC4-MD5...NONE
Testing EXP-RC4-MD5...NONE
Testing ECDHE-RSA-NULL-SHA...NONE
Testing ECDHE-ECDSA-NULL-SHA...NONE
Testing AECDH-NULL-SHA...NONE
Testing ECDH-RSA-NULL-SHA...NONE
Testing ECDH-ECDSA-NULL-SHA...NONE
Testing NULL-SHA256...NONE
Testing NULL-SHA...NONE
Testing NULL-MD5...NONE
Here is the full output:
Testing ECDHE-RSA-AES256-GCM-SHA384...NONE
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NONE
Testing ECDHE-RSA-AES256-SHA384...NONE
Testing ECDHE-ECDSA-AES256-SHA384...NONE Testing ECDHE-RSA-AES256-SHA...NONE Testing ECDHE-ECDSA-AES256-SHA...NONE Testing SRP-DSS-AES-256-CBC-SHA...NONE Testing SRP-RSA-AES-256-CBC-SHA...NONE Testing DHE-DSS-AES256-GCM-SHA384...NONE Testing DHE-RSA-AES256-GCM-SHA384...NONE Testing DHE-RSA-AES256-SHA256...NONE Testing DHE-DSS-AES256-SHA256...NONE Testing DHE-RSA-AES256-SHA...NONE Testing DHE-DSS-AES256-SHA...NONE Testing DHE-RSA-CAMELLIA256-SHA...NONE Testing DHE-DSS-CAMELLIA256-SHA...NONE Testing AECDH-AES256-SHA...NONE Testing SRP-AES-256-CBC-SHA...NONE Testing ADH-AES256-GCM-SHA384...NONE Testing ADH-AES256-SHA256...NONE Testing ADH-AES256-SHA...NONE Testing ADH-CAMELLIA256-SHA...NONE Testing ECDH-RSA-AES256-GCM-SHA384...NONE Testing ECDH-ECDSA-AES256-GCM-SHA384...NONE
Testing ECDH-RSA-AES256-SHA384...NONE
Testing ECDH-ECDSA-AES256-SHA384...NONE
Testing ECDH-RSA-AES256-SHA...NONE
Testing ECDH-ECDSA-AES256-SHA...NONE
Testing AES256-GCM-SHA384...NONE
Testing AES256-SHA256...NONE
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NONE
Testing PSK-AES256-CBC-SHA...NONE
Testing ECDHE-RSA-DES-CBC3-SHA...NONE
Testing ECDHE-ECDSA-DES-CBC3-SHA...NONE
Testing SRP-DSS-3DES-EDE-CBC-SHA...NONE
Testing SRP-RSA-3DES-EDE-CBC-SHA...NONE
Testing EDH-RSA-DES-CBC3-SHA...NONE
Testing EDH-DSS-DES-CBC3-SHA...NONE
Testing AECDH-DES-CBC3-SHA...NONE
Testing SRP-3DES-EDE-CBC-SHA...NONE
Testing ADH-DES-CBC3-SHA...NONE
Testing ECDH-RSA-DES-CBC3-SHA...NONE
Testing ECDH-ECDSA-DES-CBC3-SHA...NONE
Testing DES-CBC3-SHA...YES
Testing DES-CBC3-MD5...NONE
Testing PSK-3DES-EDE-CBC-SHA...NONE
Testing ECDHE-RSA-AES128-GCM-SHA256...NONE
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NONE
Testing ECDHE-RSA-AES128-SHA256...NONE
Testing ECDHE-ECDSA-AES128-SHA256...NONE Testing ECDHE-RSA-AES128-SHA...NONE Testing ECDHE-ECDSA-AES128-SHA...NONE Testing SRP-DSS-AES-128-CBC-SHA...NONE Testing SRP-RSA-AES-128-CBC-SHA...NONE Testing DHE-DSS-AES128-GCM-SHA256...NONE Testing DHE-RSA-AES128-GCM-SHA256...NONE Testing DHE-RSA-AES128-SHA256...NONE Testing DHE-DSS-AES128-SHA256...NONE Testing DHE-RSA-AES128-SHA...NONE Testing DHE-DSS-AES128-SHA...NONE Testing DHE-RSA-SEED-SHA...NONE Testing DHE-DSS-SEED-SHA...NONE Testing DHE-RSA-CAMELLIA128-SHA...NONE Testing DHE-DSS-CAMELLIA128-SHA...NONE Testing AECDH-AES128-SHA...NONE Testing SRP-AES-128-CBC-SHA...NONE Testing ADH-AES128-GCM-SHA256...NONE Testing ADH-AES128-SHA256...NONE Testing ADH-AES128-SHA...NONE Testing ADH-SEED-SHA...NONE Testing ADH-CAMELLIA128-SHA...NONE Testing ECDH-RSA-AES128-GCM-SHA256...NONE Testing ECDH-ECDSA-AES128-GCM-SHA256...NONE
Testing ECDH-RSA-AES128-SHA256...NONE
Testing ECDH-ECDSA-AES128-SHA256...NONE
Testing ECDH-RSA-AES128-SHA...NONE
Testing ECDH-ECDSA-AES128-SHA...NONE
Testing AES128-GCM-SHA256...NONE
Testing AES128-SHA256...NONE
Testing AES128-SHA...YES
Testing SEED-SHA...NONE
Testing CAMELLIA128-SHA...NONE
Testing IDEA-CBC-SHA...YES
Testing IDEA-CBC-MD5...NONE
Testing RC2-CBC-MD5...NONE
Testing PSK-AES128-CBC-SHA...NONE
Testing ECDHE-RSA-RC4-SHA...NONE
Testing ECDHE-ECDSA-RC4-SHA...NONE
Testing AECDH-RC4-SHA...NONE
Testing ADH-RC4-MD5...NONE
Testing ECDH-RSA-RC4-SHA...NONE
Testing ECDH-ECDSA-RC4-SHA...NONE
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing RC4-MD5...YES
Testing PSK-RC4-SHA...NONE
Testing EDH-RSA-DES-CBC-SHA...NONE
Testing EDH-DSS-DES-CBC-SHA...NONE
Testing ADH-DES-CBC-SHA...NONE
Testing DES-CBC-SHA...NONE
Testing DES-CBC-MD5...NONE
Testing EXP-EDH-RSA-DES-CBC-SHA...NONE
Testing EXP-EDH-DSS-DES-CBC-SHA...NONE
Testing EXP-ADH-DES-CBC-SHA...NONE
Testing EXP-DES-CBC-SHA...NONE
Testing EXP-RC2-CBC-MD5...NONE
Testing EXP-RC2-CBC-MD5...NONE
Testing EXP-ADH-RC4-MD5...NONE
Testing EXP-RC4-MD5...NONE
Testing EXP-RC4-MD5...NONE
Testing ECDHE-RSA-NULL-SHA...NONE
Testing ECDHE-ECDSA-NULL-SHA...NONE
Testing AECDH-NULL-SHA...NONE
Testing ECDH-RSA-NULL-SHA...NONE
Testing ECDH-ECDSA-NULL-SHA...NONE
Testing NULL-SHA256...NONE
Testing NULL-SHA...NONE
Testing NULL-MD5...NONE
Re: Disable certian Ciphers
Ciphers using MD5 won't be supported in the next version of FileZilla Server.
If I may ask, what's the rationale behind not wanting to have IDEA-CBC-SHA?
If I may ask, what's the rationale behind not wanting to have IDEA-CBC-SHA?
Re: Disable certian Ciphers
Disabling RC4 makes more sense than anything else, since it's actually broken now. The attacks against it aren't very feasible right now, but they work.botg wrote:Ciphers using MD5 won't be supported in the next version of FileZilla Server.
If I may ask, what's the rationale behind not wanting to have IDEA-CBC-SHA?
As for disabling ciphers that use MD5, unless you're dropping all of RC4, I see no point. RC4-MD5 uses HMAC-MD5, which is still considered secure. You'd be getting the same level of security using RC4-MD5 or RC4-SHA.
My only problem with IDEA-CBC is the fact that it's operating in CBC-mode and that it's even slower than 3DES.
Re: Disable certain Ciphers
RC4 support will be removed soon.Disabling RC4 makes more sense than anything else, since it's actually broken now. The attacks against it aren't very feasible right now, but they work.
Do you have a reference regarding HMAC-MD5 still being considered secure?RC4-MD5 uses HMAC-MD5, which is still considered secure
If speed would matter, people would encrypt using double-rot13.My only problem with IDEA-CBC is the fact that it's operating in CBC-mode and that it's even slower than 3DES.
Re: Disable certain Ciphers
https://news.ycombinator.com/item?id=7977798botg wrote:Do you have a reference regarding HMAC-MD5 still being considered secure?
Re: Disable certain Ciphers
After some digging I found this: http://cseweb.ucsd.edu/~mihir/papers/hmac-new.pdf