Opened 3 years ago

Closed 2 years ago

#11134 closed Patch (rejected)

Disable support for weak ciphers when using TLS 1.2

Reported by: System Admins Owned by:
Priority: high Component: FileZilla Server
Keywords: PCI, Compliance, Security, TLS Cc:
Component version: 0.9.59 Operating system type:
Operating system version: Windows Server 2012 R2 / ALL

Description

Currently when Filezilla Server is configured to run with TLS 1.2 only there are 2 ciphers that are enabled that cause Filezilla Server to fail a PCI 3.2 audit/scan. These two ciphers in question are:

| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_SEED_CBC_SHA

This topic has already been discuss here:
https://forum.filezilla-project.org/viewtopic.php?t=41686

A clone of this project already has this solution implemented on github as a reference:
https://github.com/wolfbeast/filezilla-server/commit/5f7b6ac747a56d5c8053dee40bdacf4bb4310c3a

It looks like a simple change to CAsyncSslSocketLayer::InitSSLConnection function in AsyncSslSocketLayer.cpp will resolve this issue:

// Disable (3)DES, RC4 and other weak and export ciphers
// Also disable rarely used SEED and IDEA
// We do not make use of PSK and SRP so disable them as well for good measure.
pSSL_set_cipher_list(m_ssl,"DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");

This is not my github account, only a solution I found online. Any credit should reference wolfbeast

Change History (2)

comment:1 Changed 2 years ago by Kurt McKee

Triage suggestion

I am unable to find any CVE's regarding these two ciphers (IDEA and SEED). Even the scanning tool's output (posted in the linked forum topic) simply stated "Undefined CVE".

In the absence of an actual CVE or other information, I suggest closing this ticket.

comment:2 Changed 2 years ago by Kurt McKee

Resolution: rejected
Status: newclosed

@sysadmin_rbs, if you can provide a CVE link, or if the scanning tool vendor can provide additional information, please post back to this bug report. Thanks!

Note: See TracTickets for help on using tickets.