Ftp – How to enable TLS 1.1 minimum on vsftpd

ftppci-dsstlsvsftpd

I'm trying to secure my infrastructure to meet the PCI-DSS standard using securitymetrics.com. The standard mandates the use of TLS 1.1 minimum (with a CBC cipher). TLS 1.0 is not allowed.

While securing ftp (vsftpd), I have disabled sslv2 and sslv3, but couldn't block TLS 1.0 without also disabling TLS 1.1 and TLS 1.2. The config file has the ssl_tlsv1 option that can be set to YES or NO, but I don't see any way to distinguish between 1.0 and later versions.

How can I enable only TLS 1.1 and better?

Best Answer

Answer isn't posted, so I thought I'd follow up for the rest...

To disable TLSv1.0 and enable TLSv1.1 and TLSv1.2 just add these two lines and change the third:

ssl_tlsv1_2=YES
ssl_tlsv1_1=YES
ssl_tlsv1=NO

Note that these options are only available with a patched version of vsftpd, and seems to be only installed on CentOS, and specifically not on Ubuntu. Other distributions may have the patched version as well.

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Disable SMTP AUTH on Port 25

Yes, postfix is perfectly capable of this.

Take a look at the Postfix HOWTO:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

and particularly:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

(those two pages are linked from the fairly extensive official Postfix docs page http://www.postfix.org/docs.html)

For my server, the configuration in master.cf looks like:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

And main.cf has a line like:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

In this case, authentication is only turned on for the submission (587) and SMTPS (465) ports.

Best Answer

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

Disable SMTP AUTH on Port 25

Related Topic