Hello-
First, a HUGE thank you to the teams and contributors for producing and maintaining a great product. Have used FileZilla (client and server) for quite some time and it is excellent software and keeps improving with age.
One of my customers is undergoing a PCI compliance audit and the audit scans returned a failure due to a weak cipher suite in FileZilla Server 0.9.57. I've got the software configured for TLS v1.2 but the scans are flagging: TLS_RSA_WITH_IDEA_CBC_SHA as a supported cipher. Is there a way to enable/disable or order the cipher suites supported? Didn't see anything in documentation...so didn't think there was but doesn't hurt to ask. (Thanks for adding the TLS v1.2 support in 0.9.55...)
Thanks
Bable
Weak Cipher Suite Supported
Moderator: Project members
Re: Weak Cipher Suite Supported
The supported ciphers cannot be changed without recompilation.
Why are your scans flagging TLS_RSA_WITH_IDEA_CBC_SHA, ie. what is wrong with this cipher?
Why are your scans flagging TLS_RSA_WITH_IDEA_CBC_SHA, ie. what is wrong with this cipher?
-
bminks
- 500 Command not understood
- Posts: 3
- Joined: 2016-08-08 11:22
- First name: Bable
- Last name: Minks
Re: Weak Cipher Suite Supported
Thanks for your quick response. I have some additional information. The scanning tool used for the assessment is Nexpose Rapid 7 and it is claiming the below:
Undefined CVE, TLS/SSL Server supports DES and IDEA Cipher Suites
protocol: tcp port: 990
severity: medium
CVSS Score: 5.8
Evidence, detail of vulnerability: Negotiated with the following insecure cipher suites: TLS 1.2 ciphers: TLS_RSA_WITH_IDEA_CBC_SHA
I'm not an expert when it comes to ciphers but my limited research indicates IDEA may be an obsolete encryption algorithm using a relatively (in cipher strength terms) low bit key (128-bit).
Thanks
Bable
Undefined CVE, TLS/SSL Server supports DES and IDEA Cipher Suites
protocol: tcp port: 990
severity: medium
CVSS Score: 5.8
Evidence, detail of vulnerability: Negotiated with the following insecure cipher suites: TLS 1.2 ciphers: TLS_RSA_WITH_IDEA_CBC_SHA
I'm not an expert when it comes to ciphers but my limited research indicates IDEA may be an obsolete encryption algorithm using a relatively (in cipher strength terms) low bit key (128-bit).
Thanks
Bable
Re: Weak Cipher Suite Supported
Does your scanner complain about TLS_RSA_WITH_AES_CBC_SHA? That one has the very same key length and is also supported by FileZilla Server.
In any case, note that the mere presence of a weak encryption algorithm isn't a security problem on its own. Weak ciphers aren't used unless a connecting client doesn't understand a stronger cipher. and there's also protection against downgrade attacks in the handshake protocol.
In any case, note that the mere presence of a weak encryption algorithm isn't a security problem on its own. Weak ciphers aren't used unless a connecting client doesn't understand a stronger cipher. and there's also protection against downgrade attacks in the handshake protocol.
-
bminks
- 500 Command not understood
- Posts: 3
- Joined: 2016-08-08 11:22
- First name: Bable
- Last name: Minks
Re: Weak Cipher Suite Supported
Thanks for the follow-up. I agree with you however the security group at my customer only see's it as a failure from a PCI compliance perspective (a very myopic world view most definitely) as the potential for a client to use the weak cipher exists.
I was only given the previously disclosed detail of the findings. If it failed on other ciphers, they did not disclose it.
Thank you for the additional detail...I think I can use it to craft a response that may be acceptable to them short term. Do you have a guideline or standard operating procedure regarding what ciphers are included/supported in builds?
I appreciate your time in responding to my questions.
Thanks again.
I was only given the previously disclosed detail of the findings. If it failed on other ciphers, they did not disclose it.
Thank you for the additional detail...I think I can use it to craft a response that may be acceptable to them short term. Do you have a guideline or standard operating procedure regarding what ciphers are included/supported in builds?
I appreciate your time in responding to my questions.
Thanks again.
Re: Weak Cipher Suite Supported
@botg: Could the software be changed so certain cipher suites can be disallowed? So those with special needs can configure it without any influence on others.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
hauntedbybullshit
- 500 Command not understood
- Posts: 2
- Joined: 2016-12-20 19:48
Re: Weak Cipher Suite Supported
same problem here.
A customer needs the PCI certification on his server and his scanning tool will not give its green light unless weak ciphers are forbidden by the server.
I don't really want to get into an argument over whether this makes sense or not, but I certainly see the upside - if you require a server to disallow unsecure ciphers, you can be less strict on the clients, which might otherwise be a lot more effort, given that usually there are >> 1 clients per server.
Also, in certain areas (and payment card is one of them I guess) it is generally good to be as restrictive as possible. Even if you require the server AND the client to disallow unsecure ciphers, this gives you an extra chance to not accidentally use one, which is a value in itself.
Anyways - is there a feature planned to cover the restrictions of PCI certification? I think this PCI thing isn't going away...
A customer needs the PCI certification on his server and his scanning tool will not give its green light unless weak ciphers are forbidden by the server.
I don't really want to get into an argument over whether this makes sense or not, but I certainly see the upside - if you require a server to disallow unsecure ciphers, you can be less strict on the clients, which might otherwise be a lot more effort, given that usually there are >> 1 clients per server.
Also, in certain areas (and payment card is one of them I guess) it is generally good to be as restrictive as possible. Even if you require the server AND the client to disallow unsecure ciphers, this gives you an extra chance to not accidentally use one, which is a value in itself.
Anyways - is there a feature planned to cover the restrictions of PCI certification? I think this PCI thing isn't going away...
Re: Weak Cipher Suite Supported
For the immediate future no such feature is planned. You can however change the FileZilla Server's source code yourself.
-
hauntedbybullshit
- 500 Command not understood
- Posts: 2
- Joined: 2016-12-20 19:48
Re: Weak Cipher Suite Supported
Well, first I wanted to contribute a "disable non pci-compliant ciphers" setting for FileZilla, but I guess I got stuck..
I just read the 'compile for Windows' wiki page and then decided to switch to IIS FTP, which solved my problem for now
Maybe I'll have another look in the filezilla code between christmas and new years eve, I'd love to contribute that feature.
I just read the 'compile for Windows' wiki page and then decided to switch to IIS FTP, which solved my problem for now
Maybe I'll have another look in the filezilla code between christmas and new years eve, I'd love to contribute that feature.