Page 1 of 1
vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
Posted: 2016/12/15 18:48:21
by KimRinVA
Does anyone know proper configuration for vsftpd to not use 3DES ciphers?
This is not allowed by PCI standards and assigned CVEs: CVE-2016-2183, CVE-2016-6329
https://access.redhat.com/articles/2548661
https://sweet32.info/
Thank you.
Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
Posted: 2016/12/15 19:03:26
by KimRinVA
I think I figured this out....
in vsftpd.conf, ssl_ciphers=HIGH was not working, but you can specify your own ciphers.
openssl ciphers -v shows ciphers available and I just picked some at random, leaving off 3DES and that appears to be working so far.
Separate cyphers by a comma like:
ssl_ciphers=AES256-SHA,CAMELLIA256,PSK-AES256
Re: vsftpd: change ciphers - remove 3DES (PCI / SWEET32)
Posted: 2017/09/21 21:26:22
by mnosler
Found this while researching myself and wanted to reply with a cleaner solution. ssl_ciphers uses the regular openssl ciphers syntax.
To exclude 3DES from "HIGH" use:
ssl_ciphers=HIGH:-3DES
this also includes null authentication ciphers so you may want to use:
ssl_ciphers=HIGH:-3DES:-aNULL
You can validate the list with openssl: openssl ciphers "HIGH:-3DES:-aNULL" -v