Option to disable TLS 1.0 because of possible security issue
|Reported by:||darob100||Owned by:|
|Component version:||Operating system type:||Windows|
|Operating system version:||2008 and 2012 Server|
I scanned my local server with nessus and got an interesting warning:
"Synopsis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.
Solution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
I am not sure, if this issue is really a security issue. A possible solution should be, to disable TLS 1.0 support. I understand, that this is a compatibility problem, but perhaps you could add an option to disable it. So everybody can decide, if he wants compatibility or more security.
I am running Filezilla Server Version 0.9.41 with FTP over SSL/TLS enabled.