Weak Cipher Suite Supported

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
bminks
500 Command not understood
Posts: 3
Joined: 2016-08-08 11:22
First name: Bable
Last name: Minks

Weak Cipher Suite Supported

#1 Post by bminks » 2016-08-08 11:35

Hello-
First, a HUGE thank you to the teams and contributors for producing and maintaining a great product. Have used FileZilla (client and server) for quite some time and it is excellent software and keeps improving with age.

One of my customers is undergoing a PCI compliance audit and the audit scans returned a failure due to a weak cipher suite in FileZilla Server 0.9.57. I've got the software configured for TLS v1.2 but the scans are flagging: TLS_RSA_WITH_IDEA_CBC_SHA as a supported cipher. Is there a way to enable/disable or order the cipher suites supported? Didn't see anything in documentation...so didn't think there was but doesn't hurt to ask. (Thanks for adding the TLS v1.2 support in 0.9.55...)

Thanks

Bable

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Weak Cipher Suite Supported

#2 Post by botg » 2016-08-08 13:34

The supported ciphers cannot be changed without recompilation.

Why are your scans flagging TLS_RSA_WITH_IDEA_CBC_SHA, ie. what is wrong with this cipher?

bminks
500 Command not understood
Posts: 3
Joined: 2016-08-08 11:22
First name: Bable
Last name: Minks

Re: Weak Cipher Suite Supported

#3 Post by bminks » 2016-08-09 12:18

Thanks for your quick response. I have some additional information. The scanning tool used for the assessment is Nexpose Rapid 7 and it is claiming the below:

Undefined CVE, TLS/SSL Server supports DES and IDEA Cipher Suites
protocol: tcp port: 990
severity: medium
CVSS Score: 5.8
Evidence, detail of vulnerability: Negotiated with the following insecure cipher suites: TLS 1.2 ciphers: TLS_RSA_WITH_IDEA_CBC_SHA

I'm not an expert when it comes to ciphers but my limited research indicates IDEA may be an obsolete encryption algorithm using a relatively (in cipher strength terms) low bit key (128-bit).

Thanks

Bable

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Weak Cipher Suite Supported

#4 Post by botg » 2016-08-09 12:45

Does your scanner complain about TLS_RSA_WITH_AES_CBC_SHA? That one has the very same key length and is also supported by FileZilla Server.


In any case, note that the mere presence of a weak encryption algorithm isn't a security problem on its own. Weak ciphers aren't used unless a connecting client doesn't understand a stronger cipher. and there's also protection against downgrade attacks in the handshake protocol.

bminks
500 Command not understood
Posts: 3
Joined: 2016-08-08 11:22
First name: Bable
Last name: Minks

Re: Weak Cipher Suite Supported

#5 Post by bminks » 2016-08-09 18:29

Thanks for the follow-up. I agree with you however the security group at my customer only see's it as a failure from a PCI compliance perspective (a very myopic world view most definitely) as the potential for a client to use the weak cipher exists.

I was only given the previously disclosed detail of the findings. If it failed on other ciphers, they did not disclose it.

Thank you for the additional detail...I think I can use it to craft a response that may be acceptable to them short term. Do you have a guideline or standard operating procedure regarding what ciphers are included/supported in builds?

I appreciate your time in responding to my questions.

Thanks again.

User avatar
boco
Contributor
Posts: 25192
Joined: 2006-05-01 03:28
Location: Germany

Re: Weak Cipher Suite Supported

#6 Post by boco » 2016-08-09 20:40

@botg: Could the software be changed so certain cipher suites can be disallowed? So those with special needs can configure it without any influence on others.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

hauntedbybullshit
500 Command not understood
Posts: 2
Joined: 2016-12-20 19:48

Re: Weak Cipher Suite Supported

#7 Post by hauntedbybullshit » 2016-12-20 19:53

same problem here.

A customer needs the PCI certification on his server and his scanning tool will not give its green light unless weak ciphers are forbidden by the server.

I don't really want to get into an argument over whether this makes sense or not, but I certainly see the upside - if you require a server to disallow unsecure ciphers, you can be less strict on the clients, which might otherwise be a lot more effort, given that usually there are >> 1 clients per server.

Also, in certain areas (and payment card is one of them I guess) it is generally good to be as restrictive as possible. Even if you require the server AND the client to disallow unsecure ciphers, this gives you an extra chance to not accidentally use one, which is a value in itself.

Anyways - is there a feature planned to cover the restrictions of PCI certification? I think this PCI thing isn't going away...

User avatar
botg
Site Admin
Posts: 33056
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Weak Cipher Suite Supported

#8 Post by botg » 2016-12-21 08:40

For the immediate future no such feature is planned. You can however change the FileZilla Server's source code yourself.

hauntedbybullshit
500 Command not understood
Posts: 2
Joined: 2016-12-20 19:48

Re: Weak Cipher Suite Supported

#9 Post by hauntedbybullshit » 2016-12-21 12:14

Well, first I wanted to contribute a "disable non pci-compliant ciphers" setting for FileZilla, but I guess I got stuck..
I just read the 'compile for Windows' wiki page and then decided to switch to IIS FTP, which solved my problem for now :)

Maybe I'll have another look in the filezilla code between christmas and new years eve, I'd love to contribute that feature.

Post Reply