Configuration of Cipher Suites using TLS 1.2
|Reported by:||jonas||Owned by:|
|Keywords:||cipher suites, configuration, TLS||Cc:|
|Component version:||Operating system type:|
|Operating system version:|
Dear Filezilla Developers,
we work for a German federal government agency and have been using Filezilla server for a long time.
We would like to continue using Filezilla since we are satisfied with Filezilla server and haven’t had a single problem until recently.
Currently one can not configure the cipher suites that Filezilla Server uses which according to BSI doc TR-02102-2  poses a security risk and should therefore be changed.
The only post on configuring cipher suites - that we were able to find - is from 2016 .
In the post Tim Kosse says that..
- a feature to configure the cipher suites is not planned
- people who need to configure this should change the source code and compile their own versions of Filezilla
However, since 2016 new guidelines – like the one mentioned above - have emerged that require the usage or blocking of specific cipher suites when using TLS 1.2.
For example, German companies are recommended to follow the guidelines published by Federal Office for Information Security (german abbreviation: BSI).
The guideline  lists a table of recommended cipher suites in section 3.3.1 "Cipher-Suiten" and explicitly discourages the use of all other ciphers.
Since most of German companies have to comply with the BSI guidelines Filezilla server could no longer be used.
We expect other European countries to adopt similar guidelines in the near future making this feature quite urgent.
Since recommendations on cipher suites occur more often nowadays the use of a static set of cipher suites maintained by Filezilla doesn’t look like a modern solution anymore.
Users of Filezilla server should be able to change the allowed cipher suites without having to recompile the software.
A similar feature has already been requested in Ticket #11134 .
Is this feature perhaps already in development or is something similar on your scope for the next year?
We would greatly appreciate an answer to this ticket by Monday 12:00 UTC+2 since we have to discuss this issue with our management that day.
Best Regards and greetings from Germany
 "Weak Cipher Supported" Filezilla forum post from 2016
 BSI Recommendation - Cipher suites for TLS 1.2