Articles from security category

Use Let's Encrypt to protect your FTP server

Fri 04 January 2019 | article

A brief history of FTP (in)security

The FTP protocol as used today was defined in 1985 (RFC 959) based on a design created in 1971.

It was designed without taking security into consideration. All transmissions are in clear text, including username, password, and actual transferred data. All FTP communication can be easily intercepted by anyone able to capture your local or Internet traffic.

This problem is common to many of the Internet Protocol specifications (Telnet, SMTP, IMAP, etc.) that were designed prior to the creation of encryption mechanisms such as SSL or TLS.

In 1997 (RFC 2228), the FTP protocol was extended, and specifications for using secure connections were set in place. The end result is what is commonly known as the FTPS protocol.

The FTPS protocol is also sometimes referred to as Secure FTP or FTP over SSL. All these names refer to the same protocol extension.

FTPS should not be confused with the SFTP protocol, a secure file transfer subsystem for the Secure Shell (SSH) protocol. FTPS is not compatible with SFTP.

Upgrade the security of your legacy FTP server

With the widespread popularity of wireless networks, it is easier than ever to monitor network traffic. And therefore capture usernames, passwords, and actual data sent over the plain old FTP protocol.

Until recently, in order to secure public FTP servers using TLS you had to buy and manually install an X509 / SSL Certificate from one of the trusted certificate authorities. A certificate was typically valid for 1 or 2 years, and the process of buying, obtaining, and then installing a new certificate was slow and painful, as most steps required manual interventions.

With the creation of the Let's Encrypt certificate authority, you can now automatically get a TLS certificate at no extra cost in a matter of seconds.

By switching to FTPS, usernames, passwords, and actual data transferred by your FTP server are protected using the latest security standard.

Let's Encrypt and FTPS

Let's Encrypt for FTPS Server

Let's Encrypt (sometimes shortened as LetsEncrypt) is a certificate authority that provides SSL/X.509 certificates at no charge.

SFTPPlus can automatically and seamlessly request certificates for HTTPS and FTPS file transfer services. You only need to configure the domain name, SFTPPlus will take care of the rest. No need to use external tools like letencrypt.exe copy files in paths like /etc/letsencryt or C:siteswwwroot.

For technical details on Let's Encrypt in general, and on using it with a FTPS server in particular, consult the dedicated article.

If you have decided to use Let's Encrypt, check our dedicated documentation page to see how to enable Let's Encrypt for your FTP server.

This resource is written as of SFTPPlus version 3.43.0.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, MacOS, Solaris, HP-UX, and FreeBSD.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

Secure your FTPS server with Let's Encrypt

Thu 29 November 2018 | article

Introduction

Let's Encrypt for FTPS Server

What is Let's Encrypt?

Let's Encrypt (sometimes shortened as LetsEncrypt) is a certificate authority that provides SSL/X.509 certificates at no charge. You can read more on the subject in the Wikipedia article on Let's Encrypt.

A Let's Encrypt certificate is valid for 90 days, but it is recommended to renew it 30 days before expiration.

Certificates are provided using an automated process designed to automate creation, signing, installation, and renewal of certificates for websites in a secure manner.

Only Domain-validated certificates are being issued. Organization-Validated and Extended Validation (EV) Certificates are not available.

How does Let's Encrypt work?

Let's Encrypt uses the Automatic Certificate Management Environment (ACME) protocol.

ACME is a communications protocol for automating interactions between certificate authorities and their users, allowing automated deployments of public key infrastructure (PKI).

SFTPPlus as an ACME client

SFTPPlus implements the client side of the ACME protocol.

It can connect to the Let's Encrypt ACME server, and automatically request SSL/X.509 certificates, free of cost.

To prove that it has administrative rights over a domain, SFTPPlus runs an embedded HTTP server, available over port 80, which implements the HTTP-01 challenge of the ACME protocol.

SFTPPlus can automatically request certificates for HTTPS and FTPS file transfer services, as well as for the Local Manager web console.

The obtained certificates are signed by the Let's Encrypt authority, which is automatically trusted by all modern operating systems. For example, an FTP client using the Windows Certificate Store will automatically accept the certificate used to encrypt a connection to a SFTPPlus server using Let's Encrypt.

All this is done automatically through SFTPPlus' seamless Let's Encrypt integration. You only need to configure the domain name, SFTPPlus will take care of the rest. No need to use external tools like letencrypt.exe, store or copy files in directories like /etc/letsencryt or C:siteswwwroot.

Let's Encrypt and FTPS

While Let's Encrypt was created for HTTPS websites, you can use the same certificate signed by Let's Encrypt's Certificate Authority for FTPS communication.

You can use Let's Encrypt for any secure FTP protocol, be it Explicit FTPS or Implicit FTPS. The certificates can be used over both SSL and TLS, including TLS 1.2.

You still need to have port 80 opened or forwarded to SFTPPlus for the automated certificate generation and renewal.

Check our dedicated documentation page to see how to enable Let's Encrypt for your FTPS server.

This resource is written as of SFTPPlus version 3.42.0.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, MacOS, Solaris, HP-UX, and FreeBSD.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

Setting up security scanners for your SFTPPlus MFT Server

Wed 20 June 2018 | article security

Introduction

OWASP Logo

The following is a short guide on how you can set up a security scanner for your SFTPPlus MFT Server installation. For this guide, we have chosen a free and open source scanner, OWASP Zed Attack Proxy or zaproxy, as an example.

Of course, there are a number of other software and tools that you can use and all with varying mileage.

We can also cover these other tools, depending on interest. Therefore, if you would like to see more of these types of posts from SFTPPlus, please make sure to contact us. If you are not familiar with the terms, or need to do some background reading, you can scroll down to the Other resources section first.

To be kept up to date with the latest developments, please sign up to our security advisories.

About OWASP Zed Attack Proxy or zaproxy

For our server-side scan of the SFTPPlus MFT service (HTTPS and HTTP) and Local Manager, we used the OWASP Zed Attack Proxy or zaproxy which is a free and open source penetration testing tool released by OWASP and developed for website application security testing.

After running the application, you can generate a report for further consumption. The report contains OWASP ZAP specific terminology. These are listed below for your reference.

WASC ID This is the ID provisioned by the Web Application Security Consortium (WASC) Threat Classification project. Read more about WASC here.

CWE ID This is the ID provisioned by the Common Weakness Enumeration (CWE) project. Read more about CWE here.

Confidence This is the description of how confident the result is in the validity of the finding.

  • False Positive - for potential issues that one will later find is actually not exploitable.
  • Low - for unconfirmed issues.
  • Medium - for issues that zaproxy is somewhat confident in.
  • High - for findings that zaproxy is highly confident in.
  • Confirmed - for confirmed issues.

Risk Description of how serious the risk is. The risk shown is from the report generated by zaproxy.

Source This is the ZAP policies code. Read more here.

Using zaproxy to conduct an active scan on SFTPPlus services

Prerequisite

As a standard prerequisite, you will need the zaproxy application, a version of SFTPPlus Server software and consent to conduct these types of scanning activities if you are doing so on behalf of a group or organization.

For this example, we will be conducting an active scan of the SFTPPlus HTTP service available on the default port 10080. There are also other web-browser based services that you can scan such as the SFTPPlus Local Manager on port 10020 and the HTTPS service available on the default port 10443.

In addition, scanning can affect availability. We recommend a backup of your database.

What is an active scan?

Active scanning will attempt to find potential vulnerabilities by using known attacks against the selected target, in this case the SFTPPlus HTTP service. It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

Also, scanning will unearth results that also need to be consumed and understood by the relevant parties.

Setting up an active scan

In order to attack the authenticated part of the HTTP service, we will need to add the HTTP session token in the zaproxy application.

Go to 'Tools' -> 'Options' -> 'HTTP Sessions' -> add chevah_http_session in the Token Name. Make sure that this token is enabled then select 'OK'.

See screenshot below:

OWASP zaproxy adding custom HTTP sessions pane

Make sure that the 'HTTP Sessions' tab is open. To view the 'HTTP Sessions' tab, go to 'View' -> select 'Show Tab' -> then 'HTTP Sessions'. At this stage, the pane is empty but it will soon be populated with the correct values in the later steps.


In the 'Quick Start' pane, add http://localhost:10080 in the 'URL to attack' field. This is the URL for the SFTPPlus HTTP web-browser based file manager service. Do not press 'Attack', instead scroll down and select 'Launch Browser' for Chrome.

See screenshot below:

OWASP zaproxy Welcome pane

The reason why you cannot go straight to attacking/scanning the resource is because it still requires authentication. If not authenticated with zaproxy, you will see an error Failed to attack the URL: received a 401 response code.


After selecting 'Launch Browser', a new Chrome browser will launch and you will start seeing activity in the 'Sites' pane. The browser should have 'Explore your application with ZAP' as the landing page.

Open the URL http://localhost:10080 in the Chrome browser and login to the test file transfer account.

Once logged in, you should now see http://localhost:10080 in the 'Sites' pane.

OWASP zaproxy Sites pane

In the 'Sites' pane, right-click over the http://localhost:10080 URL and select 'Include in Context' then 'Default Context'.

OWASP zaproxy Sites pane

In the 'HTTP Sessions' pane, you should now see that there is a new session added for the site localhost:10080 with values populated in the 'Session Tokens' Values' field.

If you do not see any values, launch the SFTPPlus HTTP service again and log in.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Back in the 'Sites' pane, right click over the localhost URL, select 'Attack' -> 'Active Scan'.

For one of our tests, we only wanted to scan the HTTP headers to see if the version of SFTPPlus would be able to escape possible CSRF attacks. In this case, for the 'Input Vectors' tab, only the 'HTTP Headers, All Requests' vector was selected. You can choose other vectors according to your own requirements or you can opt to choose all vectors.


Allow the scan to work. The times can vary.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Alerts are located in the 'Alerts' tab. You can read what the Alert is about from this pane. Please note that alerts may include alerts from associated third party services.


You can generate the report after the scan has completed.

Select 'Report' on the top menu > 'Generate HTML Report' and save the file.

Other reporting file formats can be used such as JSON, XML, Markdown.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Example scan result

Below is an example scan of what you may find. Please note that results will differ depending on factors such as your installation, configuration and SFTPPlus version:

Low Risk: Web Browser XSS Protection Not Enabled
Details:
URL:
Risk: Low
Confidence: Medium
CWE ID: 933 - Security Misconfiguration -
https://cwe.mitre.org/data/definitions/933.html
WASC ID: 14 - Server Misconfiguration
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Source: Passive (10016 - Web Browser XSS Protection Not Enabled)

Description:
Web Browser XSS Protection is not enabled, or is disabled by the
configuration of the 'X-XSS-Protection' HTTP response header on
the web server

Other info:
The X-XSS-Protection HTTP response header allows the web server
to enable or disable the web browser's XSS protection mechanism.
The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported
on Internet Explorer, Chrome and Safari (WebKit).
Note that this alert is only raised if the response body could
potentially contain an XSS payload (with a text-based content type,
with a non-zero length).

Solution:
Ensure that the web browser's XSS filter is enabled, by setting
the X-XSS-Protection HTTP response header to '1'.

Reference:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

Upon seeing reports in regards to XSS vulnerabilities, we have fixed user input escaping where error messages where done without the user input and also added validation of the user input.

Therefore, the HTML rendering code for the HTTP service has been added to ensure that this is not the case to secure user input.

As part of this change, we have also added new automated tests for the HTTP service as part of our quality assurance reviews.

Example SFTPPlus audit log during a scan

As you can see, the scan generated some potential CSRF attacks which SFTPPlus version 3.34.1 detected and therefore disconnected against:

| 40018 2018-06-07 11:05:43 Process Unknown 127.0.0.1:58871
  Forcing client disconnection at "/unwanted.js" after
  receiving 0 bytes in body. Response: 400 Possible CSRF

The above is just an example of what you may see in the audit log and is not related to the scan result in the previous section.

The reason why you are seeing this in the audit trail is that we now enforce requests from the same origin including basic requests such as GET and even older HTTP requests such as POST.

This is to ensure that requests from the outside boundary (the Internet) are not interacting with the safe confines of the HTTP file service or the Local Manager.

We have ensured that the browser is forced to download data, rather than execute data, after checking the Origin and Referrer headers are of the same source.

What to do if you find an issue

The first step is to check if you have the latest version of SFTPPlus. New versions will contain not only new features, but also defect fixes including security bug fixes.

The second step is to look at the type of alert and to do a manual confirmation of the feasibility of the alert (for example, if it's a false positive) and to confirm the results from zaproxy. The alerts are meant to be guidance for further investigations.

If there is a bug found, please do not hesitate to contact SFTPPlus Support with your defect report.

Keep up to date by signing up to our security advisories

SFTPPlus continues to be focused on automated, non-interactive file transfers in a secure fashion. Our security practices have been designed to make this a reality for our clients.

To be kept up to date with the latest security advisory and news, please subscribe to out newsletter here.

Other resources

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

This resource is written as of SFTPPlus version 3.34.1.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, MacOS, Solaris, HP-UX, and FreeBSD.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

Secure cipher suites for the ssl_cipher_list configuration

Thu 03 May 2018 | security

Default SSL cipher suites

With the release of SFTPPlus 3.32.0, we have changed the default set of SSL cipher suites for the Local Manager and the HTTPS service. As with any product that runs in many environments, SFTPPlus uses a default set of SSL-related parameters that are a compromise between security and compatibility. Up to SFTPPlus version 3.31.0, we were using this highly compatible, but still reasonably secure, default set:

ssl_cipher_list = 'ALL:!RC4:!DES:!3DES:!MD5:!EXP'

Starting with SFTPPlus version 3.32.0, we strongly emphasize our focus on security. The default setting for OpenSSL cipher suites in SFTPPlus is now:

ssl_cipher_list = 'HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS'

Notice that we now derive our default set from the HIGH set of cipher suites in OpenSSL. As improved cipher suites are added in OpenSSL, and new vulnerabilities are discovered and patched for, this specific set of cipher suites will be continuously improved upon by the OpenSSL developers. By keeping OpenSSL libraries updated through OS-specific procedures, our customers' SFTPPlus installations will benefit from these upstream improvements.

This new default set of safe cipher suites is also encapsulated within the secure configuration option, so you may simply use the following:

ssl_cipher_list = secure

Testing your HTTPS server

In ensuring that the secure configuration option for ssl_cipher_list in SFTPPlus is actually secure enough for your needs, you should try auditing your HTTPS setup using the Qualys SSL Labs' SSL Server Test.

This is a free online service that performs an analysis of the configuration of any public HTTPS server listening on the standard 443 port. When results are submitted, a grade from A to F is provided. You can read more about Qualys' SSL Server Rating Guide in their GitHub wiki here.

Assuming you are using a modern version of OpenSSL, such as version 1.0.2, a default installation of SFTPPlus version 3.32.0 will currently yield a score of B. This is because we still care about compatibility with older clients in the default setup.

However, you might want to go beyond that and try to obtain a Qualys SSL Server Rating of A for your SFTPPlus installation. A set of ciphers suites that sacrifices a bit of compatibility to reach the Grade A rating would be:

| ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
| ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

Keep in mind that clients such as Internet Explorer on Windows XP, Java 6.x clients and Android 2.x users will not be able to access your server any more. For guiding you in picking the best cipher suites for your OpenSSL version, we recommend Mozilla's SSL Configuration Generator.

Another way to increase the security of your HTTPS setup is to disable support for older SSL methods such as TLS v1.0 and v1.1. While as of April 2018 there are no known vulnerabilities specific to TLS v1.0 or v1.1, supporting only the newest standard will ensure better security through the use of more modern cipher suites.

In seeking the perfect balance between security and compatibility, you may wish to consider configuring only some services to have stricter cipher suites and/or TLS policy. These could be administration facing services such as the SFTPPlus Local Manager. For other services, you may need to adopt a policy that allows a compatible set as the default value for services such as HTTPS.

For example, here's the difference between secure and compatible SSL methods. Note that the secure method does not provide backward compatibility:

Secure methods:
ssl_allowed_methods = tlsv1.2

This indicates that the server will only support TLS v1.2, and will not communicate with a client that supports only TLS v1.0 and/or TLS v1.1.

A more lenient set of SSL methods would be:

Compatible methods:
ssl_allowed_methods = tlsv1.0 tlsv1.1 tlsv1.2

This indicates that the server will support clients using TLS version v1.2 and can communicate with clients that only support TLS v1.0 and/or TLS v1.1.

Beware that not supporting TLS v1.0 would mean dropping support for clients from older operating systems such as RHEL 5, SLES 11 and Solaris 10, as well as obsolete platforms like Android 4.0-4.3, Internet Explorer on Windows Vista and Win Phone 8.0, Java 7 clients. Anything using the old OpenSSL 0.9.8 version is also included.

Therefore, you may need to reach a compromise in choosing the ssl_allowed_methods too, and only restrict the SSL methods for the more sensitive services such as Local Manager.

Other resources to use

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

This resource is written as of SFTPPlus version 3.33.0.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, MacOS, Solaris, HP-UX, and FreeBSD.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

SFTPPlus and its relevance with the OIAC Privacy Act and ASD ISM

Mon 16 April 2018 | australia compliance privacy

In this post, we outline two main compliance obligations relevant to Australia - the OIAC Privacy Act and the ASD ISM. For those familiar with other international compliance obligations, such as the GPG13 (Good Practice Guide) provided by the UK or HIPAA (Health Insurance Portability and Accountability Act) provided by the US, they will find the following information useful, especially when handling data and subsequent file transfers with Australian customers.

The following is just an introductory overview focusing on how SFTPPlus can help organizations with these obligations.

About the Privacy Act 1988

The Office of the Australian Information Commissioner (OIAC) administers the Privacy Act 1988. This Act is an Australian law which regulates the handling of personal information about individuals.

According to the OIAC, the Privacy Act includes thirteen Australian Privacy Principles (APPs). These APPs set out standards, rights and obligations for the handling, holding, use, access and correction of personal information including sensitive information. For more details, please refer to the OIAC website.

By ensuring that there is data in-motion encryption, such as the use of SFTP and FTPS in file transfers, organizations and businesses can ensure further security for their file transfers in order to help meet certain obligations indicated within the Privacy Act 1988.

About the ASD ISM

The Australian Signals Directorate (ASD), an intelligence agency in the Australian Government Department of Defence, has provisioned the Information Security Manual (ISM). Originally for government agencies to apply in order to protect ICT systems, the manual can also be of use for the private sector.

For the full documentation and details, please go to the ASD website. This page is based on the 2017 ISM Manual that was updated in November 2017.

Standard Operating Procedures (SOPs)

While the manual itself encompasses a wide range of topics from access controls to the use of ICT equipment, we have mapped components (SOPs) that is of direct or indirect relevance to file transfers involving SFTPPlus.

The following are Standard Operating Procedures (SOPs) as listed from page 36 of the ISM.

Access control

Procedure to be included: Authorising access rights to applications and data.

The SFTPPlus features that will help organizations meet this SOP include; ability to authorize access based on an existing authentication method (such as LDAP or operating system), ability to authorize or via an SFTPPlus application account.

Another example of rolling out proper access authorization is via permissions. User permissions can be set in the application based on extension (such as only making .exe files read-only) and directory (such as only allowing full control for certain folders).

Audit logs

Procedures to be included: Reviewing system audit trails and manual logs, particularly for privileged users.

For each server event that is emitted, this is logged within an audit trail that is available for SFTPPlus administrators. The example log below is of a user authenticating:

| 30014 2018-04-02 10:50:42 Process Unknown 127.0.0.1:50668 New SSH
  connection made.
| 20137 2018-04-02 10:50:42 single-server-uuid 127.0.0.1:50668 Account
  "erica" of type "os" authenticated as "erica" by os authentication
  "Operating System Accounts" using ssh-key.

Note that details such as the date, time, type of connection, type of authentication, account name and more are included in this audit log.

Data Transfers

Procedures to be included: Managing the review of media containing information that is to be transferred off-site. Managing the review of incoming media for viruses or unapproved software.

For the thorough review of media containing sensitive information, it is expected that SFTPPlus be integrated with a DLP (data leak prevention) software and other related policies to help prevent data leaks.

For the review of incoming media, SFTPPlus can also be integrated with antivirus checks as part of a file transfer process.

Our own customers are already integrating with a number of software that monitors and protects the boundary as part of their file transfer infrastructure.

System integrity audit

Procedures to be included: Reviewing user accounts, system parameters and access controls to ensure that the system is secure. Checking the integrity of system software. Testing access controls.

The text configuration server.ini file is available to review all configurations - from the authentication methods, configuration parameters and configuration options right through to the services being used.

The SFTPPlus Local Manager also includes the ability to review any changes made, before applying it to the system.

System maintenance

Procedures to be included: Managing the ongoing security and functionality of system software, including; maintaining awareness of current software vulnerabilities, testing and applying software patches /updates / signatures, and applying appropriate hardening techniques

SFTPPlus upgrades are designed to minimize disruption.

Transport Layer Security (TLS) in the ISM

Page 250 of the ISM details these conditions under which TLS can be used, including FTP over TLS (or in other words, FTPS).

The FTPS service can be configured to ensure meeting this conditions - such as using tls v1.2. To meet the requirement of meeting Perfect Forward Secrecy as determined in page 251 of the ISM, SFTPPlus administrators can explicitly state which SSL ciphers to use. These are cipher suites that implement Perfect Forward Secrecy - Diffie–Hellman key exchange (DHE-RSA, DHE-DSA) or elliptic curve Diffie–Hellman (ECDHE-RSA, ECDHE-ECDSA). Administrators can use the secure configuration option to only ensure the SSL Cipher Suite configuration for the FTPS service is updated to only use the secure ciphers as recommended by the OpenSSL library.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, MacOS, Solaris, HP-UX, and FreeBSD.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •