SFTPPlus Documentation

Start Page 9. Standards, Compliance, Obligation and Certification 9.1. Supported Cryptographic Standards
server-side client-side security

9.1. Supported Cryptographic Standards

This page describes the cryptography method, protocols, and algorithms supported by SFTPPlus.

SFTPPlus provides an easy configuration option for both the ssl_cipher_list and ssl_cipher_list with the value secure

This will keep the list of accepted cryptographic methods up to date with modern security practices.

When using the secure configuration option for a SSL/TLS/SFTP/SCP client and server-side transfer, the list of accepted ciphers might change between SFTPPlus or OpenSSL upgrades.

Connections which are using cryptography which is no longer considers secured will stop working between such updates.

Note

If you are concerned about legacy connections and don’t want to disturb existing transfers between updates, even when they are using weak encryption, don’t use the secure value. Instead, configure an explicit list of ciphers. In this way, the configuration will stay the same between SFTPPlus updates.

9.1.1. SSL/TLS protocol family

The secure file transfer services implemented in FTPS and HTTPS are based on the Transport Layer Security (TLS) protocol, which is the successor of the Secure Sockets Layer (SSL) protocol.

9.1.1.1. Default secure SSL/SLS configuration

When using the secure value for the ssl_cipher_list, the following algorithms are enabled:

HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS

This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.

SFTPPlus uses the OpenSSL library provided by the operating system, with some exceptions, most notably Windows. The OpenSSL version included in your operating system might not provide all the ciphers which are required by older SSL/TLS versions of the standard. This is valid especially for cryptographic methods which in recent years were discovered to no longer be secured. For example, SSLv3 is no longer provided at all. While 3DES was considered secure at the beginning of 2016, in August 2016 it was discovered that it is vulnerable to the SWEET32 attack. Therefore, 3DES support is no longer included with latest updates for most operating systems.

To verify the list of ciphers available for your operating system use:

openssl ciphers -V

9.1.1.2. SSL/TLS versions

  • SSL v3 (considered not secure)
  • TLS v1.0
  • TLS v1.1 (for OpenSSL 1.0.1 or newer)
  • TLS v1.2 (for OpenSSL 1.0.1 or newer)

Note

SSL version 2 is not supported. It was officially deprecated in 2011 by the RFC 6176.

SSL version 3 is supported only to provide backward compatibility for older clients, but it is not recommended for new deployments. It was officially deprecated in June 2015 by the RFC 7568.

9.1.1.3. OpenSSL versions used in supported operating systems

Modern Unix and Linux versions are distributed with OpenSSL version 1.0.1 or newer.

Microsoft Windows is distributed without including OpenSSL libraries or a compatible alternative. On Windows, SFTPPlus uses the embedded OpenSSL libraries version 1.1.1b. Please keep your SFTPPlus deployments on Windows always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.

The OpenSSL version distributed with SLES 12 advertises that it supports Elliptic Curve Diffie-Hellman (ECDH) as part of Elliptic Curve Cryptography (ECC). However, in the SLES 12 version tested by Pro:Atria, there is a defect and ECDH is not usable.

For SUSE Linux Enterprise Server version 11, we support the SUSE Linux Enterprise 11 Security Module, which provides OpenSSL 1.0.1. This adds SHA2 and TLSv1.2 support, since the version provided by the base system is 0.9.8.

For SUSE Linux Enterprise Server version 11 without the Security Module, SFTPPlus is distributed with embedded OpenSSL 1.1.0h. This adds SHA2 and TLSv1.2 support, since the version provided by the base system is 0.9.8. On SLES 11 without the Security Module, SFTPPlus also uses the upstream wheel for pyca/cryptography, which is currently bundled with the OpenSSL version 1.1.1b libraries. Please keep your SFTPPlus deployments on SLES 11 always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.

On Alpine Linux, SFTPPlus is built against the default-included LibreSSL 2.5.x libraries. The OpenSSL version available as a package is not supported.

On AIX, we only support the OpenSSL 1.0.2k (or newer compatible versions) provided by IBM through the AIX Web Download Pack Programs web page.

On Solaris 10, we only support OpenSSL 1.0.2 versions from Oracle patches 151912-11/151913-1 or later (version 1.0.2n or later compatible ones).

For macOS 10.11 or newer, SFTPPlus is built to use the OpenSSL 1.0.2 version that is provided by the Homebrew community. This adds SHA2 and TLSv1.2 support, since the (now deprecated) OpenSSL library provided by Apple is version 0.9.8.

For OS X 10.8 or newer, SFTPPlus is distributed with the upstream wheel for pyca/cryptography, which is currently bundled with the OpenSSL version 1.1.1b libraries. This adds SHA2 and TLSv1.2 support, since the (now deprecated) OpenSSL library provided by Apple is version 0.9.8. Please keep your SFTPPlus version on OS X always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.

On FreeBSD 10, we only support the OpenSSL 1.0.1 libraries provided in the base system. The OpenSSL version available in FreeBSD’s ports is not supported.

On HP-UX 11.31, we only support the OpenSSL 1.0.2 libraries from HP’s Software Depot for HP-UX 11i (version 1.0.2k or newer compatible versions).

The above list is not comprehensive and comes with no guarantee. Please check with support@proatria.com for further info.

Last updated for release 3.39.0 on September 24, 2018.

9.1.1.4. Public-key cryptographic systems

  • DSS/DSA
  • RSA

Note

DSS/DSA key support is provided for backward compatibility.

Newer deployments should be based on RSA, use a key size of 4096 or greater.

DSS/DSA key support is scheduled to be removed/deprecated with the future release of TLS v1.3.

9.1.1.5. Hash functions

  • MD5
  • SHA-1 (FIPS 140-2 compatible)
  • SHA-2 (for OpenSSL 0.9.8 or newer) (FIPS 140-2 compatible)

Note

All modern operating systems, still supported by their vendors, provide newer versions of OpenSSL with support for SHA-2. We are aware of Solaris 10 which does not have SHA-2 support.

9.1.1.6. Encryption algorithms

  • 3DES (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)
  • AES 128 and AES 256 (FIPS 140-2 compatible)
  • RC4
  • Blowfish

9.1.2. SSH protocol family

Only SSH version 2 is supported.

SFTP is implemented based on draft version 3.

SCP is not a standard protocol, therefore it was implemented based on the public source code of OpenSSH’s implementation.

9.1.2.1. Default SFTP/SCP secure configuration

When using the secure value for the ssh_cipher_list, the following algorithms are enabled. These are listed below according to preference:

# Ciphers
aes256-cbc aes256-ctr
aes192-cbc aes192-ctr
aes128-cbc aes128-ctr

# MACs
# SHA1 and MD5 might look weak, but the way they are used in SSH
# does not allow for the possibility of a collision attack.
hmac-sha2-256
hmac-sha1
hmac-md5

# Key Exchanges
# See RFC for current recommendation (check updates).
# This is based on:
# https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1

This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.

9.1.2.1.1. Ciphers

3DES is disabled due to SWEET32 attack:

  • aes256-cbc aes256-ctr
  • aes192-cbc aes192-ctr
  • aes128-cbc aes128-ctr

9.1.2.1.2. HMACs

SHA1 and MD5 might have higher collision probabilities, but the way they are used in SSH does not allow for the possibility of a collision attack.

  • hmac-sha2-256
  • hmac-sha1
  • hmac-md5

9.1.2.1.3. Key Exchanges

Based on the IETF recommendation on the set of key exchange methods for use in the Secure Shell (SSH) protocol:

  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group14-sha1

9.1.2.2. Public-key cryptographic systems

Here is the list of supported public-key cryptographic systems, ordered on the preference of SFTPPlus during the negotiation phase:

  • RSA
  • DSS/DSA

Warning

Newer deployments should be based on RSA with a key size of 4096 or greater.

9.1.2.3. SSH Key Exchange

Here is the list of supported SSH key exchanges, ordered on the preference of SFTPPlus during the negotiation phase:

  • diffie-hellman-group-exchange-sha256 (FIPS 140-2 compatible)
  • diffie-hellman-group-exchange-sha1 (FIPS 140-2 compatible)
  • diffie-hellman-group14-sha1 (FIPS 140-2 compatible)
  • diffie-hellman-group1-sha1 (FIPS 140-2 compatible, but no longer considered secure to modern standards)

9.1.2.4. Keyed-hash message authentication code (HMAC)

Here is the list of supported HMAC, ordered on the preference of SFTPPlus during the negotiation phase:

  • hmac-sha2-256 (FIPS 140-2 compatible)
  • hmac-sha1 (FIPS 140-2 compatible)
  • hmac-md5

9.1.2.5. Symmetric encryption algorithms

Here is the list of supported symmetric encryption algorithms, ordered on the preference of SFTPPlus during the negotiation phase:

  • aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc (FIPS 140-2 compatible)
  • cast128-ctr, cast128-cbc
  • blowfish-ctr, blowfish-cbc
  • 3des-ctr, 3des-cbc (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)

9.1.3. FIPS 140-2

SFTPPlus does not have vendor certification for FIPS 140-2 compliance.