SOLVED Pure-FTPd Cipher Settings

grayloon

Well-Known Member
Oct 31, 2007
121
4
68
Evansville, IN
cPanel Access Level
Root Administrator
Twitter
Now, I'm trying to figure out how to disable DES and 3DES for Pure-FTPd. I changed my TLS Cipher Suite to:
HIGH:!SSLv2:!ADH:!DES:!3DES:!aNULL:!eNULL:!NULL
When I test my server with SSLyze, I still see this weak cipher listed:
#sslyze --starttls=ftp --regular 162.209.0.20:21
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello @grayloon,

Feel free to open a support ticket so we can take a closer look to determine why those cipher settings are not enacted on your system. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

JerryB

Member
Dec 7, 2016
6
0
1
NL
cPanel Access Level
DataCenter Provider
Hi,

we have the same problem running WHM 60.0 (build 26)
It looks like a bug in pure-ftpd.

I checked the release notes for pure-ftpd:

* Version 1.0.43: The -J switch didn't work any more in 1.0.42. This has been fixed.

The -J switch sets the cipher settings.

Cpanel is running: pure-ftpd-1.0.42-6.cp1156.x86_64
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
we have the same problem running WHM 60.0 (build 26)
It looks like a bug in pure-ftpd.
Could you open a support ticket so we can take a closer look? It's possible we may need to open an internal case, but we may also address this with the nature of how Pure-FTPd is compiled on a cPanel server.

Thank you.
 

Dhaupin

Active Member
Jan 3, 2014
41
4
8
cPanel Access Level
Root Administrator
A couple days ago we changed the ciphers in one of our cPanel servers to harden for PCI. Today I'm checking scan results and its still requiring a couple 3DES ciphers to be disabled...which i thought already were.

I changed the ciphers in WHM (FTP Server Configuration) then checked using nmap via another box. Nothing is changing, even when putting default ciphers back in. What is interesting is that TLSv1.0 is still available as well, even with !TLSv1

This is the command I am using to check right to the raw IP (no proxy):
# nmap --script ssl-cert,ssl-enum-ciphers -p 21 123.123.123.123

I feel like either I'm missing something obvious, or this nmap script is not working right. Any thoughts? Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
I changed the ciphers in WHM (FTP Server Configuration) then checked using nmap via another box. Nothing is changing, even when putting default ciphers back in. What is interesting is that TLSv1.0 is still available as well, even with !TLSv1
Hello,

You will need to switch to ProFTPd via "WHM >> FTP Server Selection" to meet PCI Compliance at this time due to current restrictions with the Pure-FTPd configuration. Once it's enabled, you can then browse to "WHM Home » Service Configuration » FTP Server Configuration" and remove the TLSv1 entry from the "TLS Protocol" section.

Thank you.
 

Dhaupin

Active Member
Jan 3, 2014
41
4
8
cPanel Access Level
Root Administrator
Pure-ftp is not applying the cipher list in general. The results of "nmap ... ssl-enum-ciphers" VS "openssl ciphers ..." show different ciphers.

Is this going to be repaired? Or, is there a workaround in the meantime? Quotas and BFD are kinda important.
 

Dhaupin

Active Member
Jan 3, 2014
41
4
8
cPanel Access Level
Root Administrator
Both the TLS1.0 and 3DES persistence are def PureFTP bugs that are repaired in 1.0.45. The bug/case is CPANEL-11369 to get the cPanel version upgraded or wrapped.

Hopefully the fix is coming soon :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello,

Internal case CPANEL-11369 is open for the consideration of PureFTPd version 1.0.45's inclusion with cPanel. This would help to address the issue where custom TLSCipherSuite values are not applied, resulting in PCI compliance failures. I'll update this thread with more information on the status of this case as it becomes available.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello,

To update, this is fixed in cPanel version 64:

Fixed case CPANEL-11369: Update pure-ftpd to 1.0.45-1.cp1156.

Note that as of PureFTPd 1.0.45, PureFTPd no longer supports the TLSv1 security protocol.

Thank you.
 

digitaliway

Active Member
Feb 17, 2015
33
3
58
cPanel Access Level
Root Administrator
I know this thread is old and I have a PCI compliance scan that I working with failing on port 21. I need to know what FTP server will pass PCI compliance as of today - PUREFTP or PROFTP and if it PURE how does that need configured. On the cpanel website they say to configure PRO FTP, but do not say why and I cannot get a straight answer from support on which one is PCI: PCI Compliance and Software Versions | cPanel & WHM Documentation

Can someone let me know if I need to PROFTP to be PCI compliant and what issues I will encounter if I switch over? will I need to re-create all ftp accounts? will users not be able to connect without changing connection configs?
 

digitaliway

Active Member
Feb 17, 2015
33
3
58
cPanel Access Level
Root Administrator
Good to know I can switch, thanks for the response. we are being flagged for port 21 Some SSL ciphers allow SSL communication without authentication.
I thought I could just change the FTP config cipher suite but unsure of what to put there. I am testing the below cipher suite in PureFTP and have yet to run another scan. can you tell me how to add to/change this suite below to not allow anything except for tls1.2 and higher?

HIGH:!SSLv2:!SSLv3:!ADH:!DES:!3DES:!aNULL:!eNULL:!NULL
 

digitaliway

Active Member
Feb 17, 2015
33
3
58
cPanel Access Level
Root Administrator
we need to keep FTP active for some specific instances. I took a look at the other post and added a comment for some clarity. Running a scan now with my updated settings.
 
  • Like
Reactions: cPRex