Does anyone know proper configuration for vsftpd to not use 3DES ciphers?
This is not allowed by PCI standards and assigned CVEs: CVE-2016-2183, CVE-2016-6329
https://access.redhat.com/articles/2548661
https://sweet32.info/
Thank you.
vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
I think I figured this out....
in vsftpd.conf, ssl_ciphers=HIGH was not working, but you can specify your own ciphers.
openssl ciphers -v shows ciphers available and I just picked some at random, leaving off 3DES and that appears to be working so far.
Separate cyphers by a comma like:
ssl_ciphers=AES256-SHA,CAMELLIA256,PSK-AES256
in vsftpd.conf, ssl_ciphers=HIGH was not working, but you can specify your own ciphers.
openssl ciphers -v shows ciphers available and I just picked some at random, leaving off 3DES and that appears to be working so far.
Separate cyphers by a comma like:
ssl_ciphers=AES256-SHA,CAMELLIA256,PSK-AES256
Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
Found this while researching myself and wanted to reply with a cleaner solution. ssl_ciphers uses the regular openssl ciphers syntax.
To exclude 3DES from "HIGH" use:
ssl_ciphers=HIGH:-3DES
this also includes null authentication ciphers so you may want to use:
ssl_ciphers=HIGH:-3DES:-aNULL
You can validate the list with openssl: openssl ciphers "HIGH:-3DES:-aNULL" -v
To exclude 3DES from "HIGH" use:
ssl_ciphers=HIGH:-3DES
this also includes null authentication ciphers so you may want to use:
ssl_ciphers=HIGH:-3DES:-aNULL
You can validate the list with openssl: openssl ciphers "HIGH:-3DES:-aNULL" -v