Skip to main content

Proftp & TLS 1.0 PCI Compliance

Comments

8 comments

  • cPanelMichael
    Hello, Here's the default cipher list we provide for ProFTPd as of cPanel version 68:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Can you update the TLS Cipher Suite to the above value via "WHM Home " Service Configuration " FTP Server Configuration" and let us know if that helps? Thank you.
    0
  • ehask71
    Hello, Here's the default cipher list we provide for ProFTPd as of cPanel version 68:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Can you update the TLS Cipher Suite to the above value via "WHM Home " Service Configuration " FTP Server Configuration" and let us know if that helps? Thank you.

    What is the default for the Protocol field I think we jacked ours up
    0
  • ehask71
    It got worse ..... before I only had Server Supports TLS 1.0 protocol Now I have RC4 and SWEET32
    0
  • ehask71
    This is the ciphers for ProFtp on 68.0.21 that passed AES128+EECDH:AES128+EDH:!SSLv2:!SSLv3:!3DES
    0
  • ottdev
    Hello, Here's the default cipher list we provide for ProFTPd as of cPanel version 68:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Can you update the TLS Cipher Suite to the above value via "WHM Home " Service Configuration " FTP Server Configuration" and let us know if that helps? Thank you.

    Where is the raw file where this cipher spec appears? In our WHM 68.0.29 this field only says HIGH It's as if the rest has been truncated ! I wish to compare with the actual file and submit bug if something's wrong...
    0
  • rpvw
    If all you see is HIGH you may be using the Pure-FTPd (the above posts all referred to the ProFTPd) You can find the conf files in [LIST]
  • /etc/proftpd.conf
  • /etc/pure-ftpd.conf I just tried changing from the old HIGH to the HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 using the "WHM Home " Service Configuration " FTP Server Configuration" which updated the Pure-FTPD config and it seems to have worked OK Update: I am not at all sure a better cipher list would not be HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 Disabling the SSLv3 should prevent Poodle exploits I would very much like cPanel to comment on this.
  • 0
  • ottdev
    YES! It's Pure-FTP. It does say just HIGH in the raw file. # SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by default. TLSCipherSuite HIGH Pure-FTP documentation doesn't detail which strings can be used. But I found HIGH is indeed valid: /docs/man1.0.2/apps/ciphers.html HIGH "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. It's still a mystery what is actually included in "HIGH". Now I have a Dreamweaver user who can not connect due to her older version not having support for TLS 1.2 - this is great! Do I assume then than "HIGH" effectively rules out TLS 1.0 and 1.1. OR does it mean something is installed or NOT or enabled/duisabled elsewhere server-side that would override what FTP wants to allow here ? i.e. If server itself allows only TLS 1.2, then a spec in an individual application (such as FTP) couldn't possibly override it. How to check overall SSL specs? It's not that I want to loosen anything up!!! I'd like to be certain I'm correct when I inform client he needs an FTP or web publisher client that supports minimum TLS 1.2
    0
  • cPanelMichael
    It's still a mystery what is actually included in "HIGH".

    Hello @ottdev, This corresponds to the OpenSSL library installed on your system. Here's a command you can use to see a list of what's included:
    openssl ciphers -v 'HIGH'
    Thank you.
    0

Please sign in to leave a comment.