WatchDirectory Forum
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl
watchDirectory forums >> Plugins >> sftp ciphers and MACs
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?num=1509117719

Message started by m.feldspar on Oct 27th, 2017 at 5:21pm

Title: sftp ciphers and MACs
Post by m.feldspar on Oct 27th, 2017 at 5:21pm
We use the ftp plugin to uploads files to a customer. The customer has informed us that they will be removing from their ftp site "the following weak ciphers and MACs: "

         aes256-cbc
         aes128-cbc
         cast128-cbc
         hmac-md5

The client suggest we upgrade to use these:
         aes256-ctr
         aes192-ctr
         aes128-ctr
         hmac-sha1

Does WD support these new ciphers & MACs and will out ftp uploads continue to function when the client makes this change? Are there things we need to do to continue using WD for our ftp uploads.

Thanks

Title: Re: sftp ciphers and MACs
Post by Gert on Oct 28th, 2017 at 3:16pm
Hi,

Make sure you run the current (latest) WD release, it has updated support for all current encryptions.

Title: Re: sftp ciphers and MACs
Post by m.feldspar on Oct 30th, 2017 at 9:14pm
Due to an excess of caution my boss is hesitant to upgrade. Can you tell me what version(s) support the newer ciphers? We appear to be running 4.9.0.

Thanks.

Title: Re: sftp ciphers and MACs
Post by Gert on Oct 31st, 2017 at 8:45am
4.9.0 is 2.5 years old, see http://www.watchdirectory.net/wdhelp/help/wdcc_version_history.html

Note that upgrading to the current release is free, just make sure to accept all defaults during install of the evaluation download and it will "see" your current tasks and license information.

Title: Re: sftp ciphers and MACs
Post by m.feldspar on Nov 1st, 2017 at 10:46pm
Yes, i know but bosses have to be bosses....

I convinced him to upgrade. Now we have this problem. The client continues to support the old ciphers and WD seems to choose to use the old ciphers. One would assume that if they offer the old ciphers we would be free to use them, but not so. The client wants us to prioritize use of the newer ciphers. Is there anyway to do that?

Title: Re: sftp ciphers and MACs
Post by m.feldspar on Nov 3rd, 2017 at 7:05pm
Is there anyway to prioritize the order in which the ciphers are selected for use?

Title: Re: sftp ciphers and MACs
Post by Gert on Nov 4th, 2017 at 9:49am
I will have to look into it if the FTP library used by WD supports that. If it does, we can change WD to give you an option which cipher it will use.


Title: Re: sftp ciphers and MACs
Post by Gert on Nov 4th, 2017 at 10:33am
It looks like currently WD offers this encryptionlist to the SFTP server:
aes192-cbc
aes192-ctr
3des-cbc
blowfish-cbc
aes128-cbc
aes128-ctr
aes256-cbc
aes256-ctr
rijndael128-cbc
rijndael192-cbc
rijndael256-cbc
rijndael-cbc@lysator.liu.se
des-cbc
des-cbc@ssh.com

and this hmac list (digest algorithms):
hmac-sha2-256
hmac-sha2-512
hmac-sha1
hmac-sha1-96
hmac-md5
none

(and a very long list of SSL ciphers for FTPS connections).

In the order above. The first one that matches an encryption offered by the server will be chosen. I will get you a beta where you can reorder or change the above lists. Probably early next week.

WatchDirectory Forum » Powered by YaBB 2.5.2!
YaBB Forum Software © 2000-2017. All Rights Reserved.