SFTPPlus version 5.0.0 is now available.

This is a major new release.

The focus of this major release is on improving the default security level.

For SFTPPlus setups installed as version 4, this is a minor upgrade.

For SFTPPlus setups installed as version 3, you need to either increase the default security level or configure SFTPPlus to explicitly accept a lower security level.

To enable lower security, you need to use the secure@seclevel=0 option for the TLS configuration:

ssl_cipher_list = secure@seclevel=0


For HTTPS connections, it is now required to configure remote URLs using a fully-qualified domain name (FQDN). This permits validating the identity of the remote server.

Outgoing HTTPS and TLS connections now require by default the validation of the remote server's identity.

The security level of such a connection is defined by the following elements: * TLS version in use (TLS 1.2 and TLS 1.3 recommended), * type and size of the private key in use (ECDSA and RSA-2048 or better recommended), * hash signature algorithm in use (SHA-256 or higher recommended), * identity validation of the remote server.

RSA keys of size 1024 and TLS certificates signed using SHA-1 are no longer accepted by default.

The hmac-sha1 cipher is no longer included in the list of secure ciphers for SFTP.

You can check the full release notes here.