Disable support for weak ciphers when using TLS 1.2

[System Admins]

Currently when Filezilla Server is configured to run with TLS 1.2 only there are 2 ciphers that are enabled that cause Filezilla Server to fail a PCI 3.2 audit/scan. These two ciphers in question are:

| TLS_RSA_WITH_IDEA_CBC_SHA
| TLS_RSA_WITH_SEED_CBC_SHA

This topic has already been discuss here:
​https://forum.filezilla-project.org/viewtopic.php?t=41686

A clone of this project already has this solution implemented on github as a reference:
​https://github.com/wolfbeast/filezilla-server/commit/5f7b6ac747a56d5c8053dee40bdacf4bb4310c3a

It looks like a simple change to CAsyncSslSocketLayer::InitSSLConnection function in AsyncSslSocketLayer.cpp will resolve this issue:

// Disable (3)DES, RC4 and other weak and export ciphers
// Also disable rarely used SEED and IDEA
// We do not make use of PSK and SRP so disable them as well for good measure.
pSSL_set_cipher_list(m_ssl,"DEFAULT:!eNULL:!aNULL:!DES:!3DES:!WEAK:!EXP:!LOW:!MD5:!RC4:!SEED:!IDEA:!PSK:!SRP");

This is not my github account, only a solution I found online. Any credit should reference ​wolfbeast

[Kurt McKee]

Triage suggestion

I am unable to find any CVE's regarding these two ciphers (IDEA and SEED). Even the scanning tool's output (posted in the linked forum topic) simply stated "Undefined CVE".

In the absence of an actual CVE or other information, I suggest closing this ticket.

[Kurt McKee]

@sysadmin_rbs, if you can provide a CVE link, or if the scanning tool vendor can provide additional information, please post back to this bug report. Thanks!