Opened 12 years ago
Closed 9 years ago
#8059 closed Feature request (fixed)
Option to disable TLS 1.0 because of possible security issue
Reported by: | darob100 | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | FileZilla Server |
Keywords: | Cc: | ||
Component version: | Operating system type: | Windows | |
Operating system version: | 2008 and 2012 Server |
Description
I scanned my local server with nessus and got an interesting warning:
"Synopsis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.
Solution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
See Also:
http://www.openssl.org/~bodo/tls-cbc.txt
http://vnhacker.blogspot.com/2011/09/beast.html
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
http://support.microsoft.com/kb/2643584
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx "
I am not sure, if this issue is really a security issue. A possible solution should be, to disable TLS 1.0 support. I understand, that this is a compatibility problem, but perhaps you could add an option to disable it. So everybody can decide, if he wants compatibility or more security.
I am running Filezilla Server Version 0.9.41 with FTP over SSL/TLS enabled.
Attachments (1)
Change History (3)
by , 9 years ago
Attachment: | PCI_DSS_v3-1-page-32.pdf added |
---|
comment:1 by , 9 years ago
Operating system version: | 2008 Server → 2008 and 2012 Server |
---|
The PCI DDS 3.1 spec released in April of 2015 does not like TLS 1.0. It would be great to be able to disable TLS 1.0 in the FZS settings.
From the PCI spec:
"SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016.[...] Effective immediately, new implementations must not use SSL or early TLS."
comment:2 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
In the next version of FileZilla Server you will be able to configure the minimum required TLS version via the "Minimum TLS version" entry in the settings file. Values 0, 1 and 2 are supported, corresponding to TLS 1.0, 1.1 and 1.2
PCI DDS 3.1 Specifications, page 32 regarding TLS