Cerberus FTP Server FAQ

Security

Q1: How do I disable the RC4 cipher and MD5 MAC algorithm?

First, make sure you are running the latest Cerberus FTP Server release. The steps and guidance below only apply to the latest official release.

The RC4 cipher can be used for encryption with SSL connections. To disable RC4 as an option, the SSL cipher string will need to be modified to explicitely exclude RC4 as an option. This can be done by appending the the string :!RC4 to the current string.

The SSL cipher string can be accessed and changed on the Security page of the Server Manager. Press the Advanced button to bring up the Advanced Security dialog.

No SSH2 cipher changes are necessary since Cerberus has never supported RC4 as an SSH2 encryption option.

MD5 can be disabled for SSL in a similar way. Just append the string :!MD5 to the cipher string

An example SSL cipher string that disabled RC4 and MD5:

ALL:!LOW:!EXP:!aNULL:!RC4:!MD5:@STRENGTH

You can disable support for MD5 MAC in SSH2 SFTP by unchecking the hmac-md5 option under the SSH HMAC List box on the Advanced Security dialog page. A full Cerberus FTP Server Windows Service restart from the Services control panel in Windows is required for any changes to the SSH cipher or MAC list to become active.

Q2: How do I protect Cerberus against the “Heartbleed” vulnerability?

The latest 6.0.14 and 7.0.8 Cerberus FTP Server releases have been patched against Heartbleed. Please upgrade to the latest releases immediately.

Versions below 6.0 are no longer supported and will not be patched.

Q3: How do I protect Cerberus against the “POODLE” vulnerability?

The POODLE vulnerability relies on a protocol vulnerability that allows an attacker to downgrade a TLS connection to SSL v3.0. The SSL v3.0 protocol is now considered obsolete and insecure.

The latest 6.0.14 and 7.0.8 Cerberus FTP Server releases have been patched to disable SSL v3.0 completely, thereby mitigating this protocol vulnerability. We recommend upgrading immediately.

Versions below 6.0 are no longer supported and will not be patched.

Q4: How do I protect Cerberus against the “Logjam” vulnerability?

First, make sure you are running the latest Cerberus FTP Server release. The steps and guidance below only apply to the latest official release.

Researchers have recently uncovered several weaknesses in how Diffie-Hellman (DH) key exchange has been deployed. The Logjam vulnerability exploits these weaknesses to negotiate weak encryption when used with SSL that can be broken with common hardware available today.

Cerberus FTP Server allows administrators to supply their own DH parameter files for use in DH key exchange. The simple solution is to replace the lower strength 512 and 1024 bit files with 2048 bit primes. This will ensure that Cerberus FTP Server always supplies at least 2048 bit DH parameters for key exchange. To do this:

1. Delete the files:

C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh512.pem

C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh1024.pem

2. Make two copies of the file:

C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh2048.pem and rename the two copies dh512.pem and dh1024.pem. These two files will replace the original lower strength DH prime files.

You must restart the Cerberus FTP Server Windows Service from the Services control panel for this change to take effect.

You should also upgrade your SSH2 SFTP clients to versions that support Elliptic-Curve Diffie-Hellman Key Exchange (ECDH). ECDH key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers and SFTP clients now prefer ECDHE over the original, finite field, Diffie-Hellman. Cerberus FTP Server has supported and preferred ECDH for several years so support is already present in the latest 6.0 and higher releases.

Q5: How do I provide robust support for Perfect Forward Secrecy with modern web browsers and FTPS clients?

First, make sure you are running the latest Cerberus FTP Server release. The steps and guidance below only apply to the latest official release.

Enabling strong support for Perfect Forward Secrecy (PFS) requires a carefully crafted SSL cipher string to enable and prioritize the appropriate key exchange suites.

The SSL cipher string can be accessed and changed on the Security page of the Server Manager. Press the Advanced button to bring up the Advanced Security dialog.

We currently recommend the following string for strong PFS support:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Close Cart

Shopping Cart