Opened 4 years ago
Last modified 4 years ago
#12298 new Feature request
Configuration of Cipher Suites using TLS 1.2
| Reported by: | jonas | Owned by: | |
|---|---|---|---|
| Priority: | high | Component: | FileZilla Server |
| Keywords: | cipher suites, configuration, TLS | Cc: | |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
Dear Filezilla Developers,
we work for a German federal government agency and have been using Filezilla server for a long time.
We would like to continue using Filezilla since we are satisfied with Filezilla server and haven’t had a single problem until recently.
Currently one can not configure the cipher suites that Filezilla Server uses which according to BSI doc TR-02102-2 [2] poses a security risk and should therefore be changed.
The only post on configuring cipher suites - that we were able to find - is from 2016 [1].
In the post Tim Kosse says that..
- a feature to configure the cipher suites is not planned
- people who need to configure this should change the source code and compile their own versions of Filezilla
However, since 2016 new guidelines – like the one mentioned above - have emerged that require the usage or blocking of specific cipher suites when using TLS 1.2.
For example, German companies are recommended to follow the guidelines published by Federal Office for Information Security (german abbreviation: BSI).
The guideline [2] lists a table of recommended cipher suites in section 3.3.1 "Cipher-Suiten" and explicitly discourages the use of all other ciphers.
Since most of German companies have to comply with the BSI guidelines Filezilla server could no longer be used.
We expect other European countries to adopt similar guidelines in the near future making this feature quite urgent.
Since recommendations on cipher suites occur more often nowadays the use of a static set of cipher suites maintained by Filezilla doesn’t look like a modern solution anymore.
Users of Filezilla server should be able to change the allowed cipher suites without having to recompile the software.
A similar feature has already been requested in Ticket #11134 [3].
Is this feature perhaps already in development or is something similar on your scope for the next year?
We would greatly appreciate an answer to this ticket by Monday 12:00 UTC+2 since we have to discuss this issue with our management that day.
Best Regards and greetings from Germany
Jonas
[1] "Weak Cipher Supported" Filezilla forum post from 2016
https://forum.filezilla-project.org/viewtopic.php?t=41686https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10
[2] BSI Recommendation - Cipher suites for TLS 1.2
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10
[3] Ticket #11134 "Disable support for weak ciphers when using TLS 1.2" from 2016
https://trac.filezilla-project.org/ticket/11134
Change History (2)
follow-up: 2 comment:1 by , 4 years ago
comment:2 by , 4 years ago
Replying to Tim Kosse:
FileZilla Server is currently being rewritten. Some form of cipher-configurability may be added in a future version, allowing administrators to opt-out of particular algorithms. There will never be a way to enable ciphers not enabled by default.
Thanks for the reply - please excuse my late response.
Could you give us a rough estimate for the time of release of this rewritten FileZilla Server with the described feature? Would you say it's possible that it could be released in the next year?
Best Regards
Jonas
FileZilla Server is currently being rewritten. Some form of cipher-configurability may be added in a future version, allowing administrators to opt-out of particular algorithms. There will never be a way to enable ciphers not enabled by default.