Opened 7 years ago

Closed 6 years ago

#11134 closed Patch (rejected)

Disable support for weak ciphers when using TLS 1.2

Reported by: System Admins Owned by:
Priority: high Component: FileZilla Server
Keywords: PCI, Compliance, Security, TLS Cc:
Component version: 0.9.59 Operating system type:
Operating system version: Windows Server 2012 R2 / ALL


Currently when Filezilla Server is configured to run with TLS 1.2 only there are 2 ciphers that are enabled that cause Filezilla Server to fail a PCI 3.2 audit/scan. These two ciphers in question are:


This topic has already been discuss here:

A clone of this project already has this solution implemented on github as a reference:

It looks like a simple change to CAsyncSslSocketLayer::InitSSLConnection function in AsyncSslSocketLayer.cpp will resolve this issue:

// Disable (3)DES, RC4 and other weak and export ciphers
// Also disable rarely used SEED and IDEA
// We do not make use of PSK and SRP so disable them as well for good measure.

This is not my github account, only a solution I found online. Any credit should reference wolfbeast

Change History (2)

comment:1 by Kurt McKee, 6 years ago

Triage suggestion

I am unable to find any CVE's regarding these two ciphers (IDEA and SEED). Even the scanning tool's output (posted in the linked forum topic) simply stated "Undefined CVE".

In the absence of an actual CVE or other information, I suggest closing this ticket.

comment:2 by Kurt McKee, 6 years ago

Resolution: rejected
Status: newclosed

@sysadmin_rbs, if you can provide a CVE link, or if the scanning tool vendor can provide additional information, please post back to this bug report. Thanks!

Note: See TracTickets for help on using tickets.