vsftpd: change ciphers - remove 3DES (PCI / SWEET32)

Support for security such as Firewalls and securing linux
KimRinVA
Posts: 4
Joined: 2016/07/23 18:11:42

vsftpd: change ciphers - remove 3DES (PCI / SWEET32)

Postby KimRinVA » 2016/12/15 18:48:21

Does anyone know proper configuration for vsftpd to not use 3DES ciphers?

This is not allowed by PCI standards and assigned CVEs: CVE-2016-2183, CVE-2016-6329

https://access.redhat.com/articles/2548661
https://sweet32.info/

Thank you.

KimRinVA
Posts: 4
Joined: 2016/07/23 18:11:42

Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)

Postby KimRinVA » 2016/12/15 19:03:26

I think I figured this out....

in vsftpd.conf, ssl_ciphers=HIGH was not working, but you can specify your own ciphers.

openssl ciphers -v shows ciphers available and I just picked some at random, leaving off 3DES and that appears to be working so far.

Separate cyphers by a comma like:
ssl_ciphers=AES256-SHA,CAMELLIA256,PSK-AES256

mnosler
Posts: 1
Joined: 2017/09/21 17:23:35

Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)

Postby mnosler » 2017/09/21 21:26:22

Found this while researching myself and wanted to reply with a cleaner solution. ssl_ciphers uses the regular openssl ciphers syntax.

To exclude 3DES from "HIGH" use:

ssl_ciphers=HIGH:-3DES

this also includes null authentication ciphers so you may want to use:

ssl_ciphers=HIGH:-3DES:-aNULL


You can validate the list with openssl: openssl ciphers "HIGH:-3DES:-aNULL" -v