Opened 7 years ago

Closed 4 years ago

#8059 closed Feature request (fixed)

Option to disable TLS 1.0 because of possible security issue

Reported by: darob100 Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version: 2008 and 2012 Server

Description

I scanned my local server with nessus and got an interesting warning:

"Synopsis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.
Solution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
See Also:
http://www.openssl.org/~bodo/tls-cbc.txt
http://vnhacker.blogspot.com/2011/09/beast.html
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
http://support.microsoft.com/kb/2643584
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx "

I am not sure, if this issue is really a security issue. A possible solution should be, to disable TLS 1.0 support. I understand, that this is a compatibility problem, but perhaps you could add an option to disable it. So everybody can decide, if he wants compatibility or more security.
I am running Filezilla Server Version 0.9.41 with FTP over SSL/TLS enabled.

Attachments (1)

PCI_DSS_v3-1-page-32.pdf (102.0 KB) - added by D. Larson 5 years ago.
PCI DDS 3.1 Specifications, page 32 regarding TLS

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by D. Larson

Attachment: PCI_DSS_v3-1-page-32.pdf added

PCI DDS 3.1 Specifications, page 32 regarding TLS

comment:1 Changed 5 years ago by D. Larson

Operating system version: 2008 Server2008 and 2012 Server

The PCI DDS 3.1 spec released in April of 2015 does not like TLS 1.0. It would be great to be able to disable TLS 1.0 in the FZS settings.

From the PCI spec:
"SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016.[...] Effective immediately, new implementations must not use SSL or early TLS."

comment:2 Changed 4 years ago by Tim Kosse

Resolution: fixed
Status: newclosed

In the next version of FileZilla Server you will be able to configure the minimum required TLS version via the "Minimum TLS version" entry in the settings file. Values 0, 1 and 2 are supported, corresponding to TLS 1.0, 1.1 and 1.2

Note: See TracTickets for help on using tickets.