![]() For information about Globalscape, visit www.globalscape.com. |
This topic describes the use of ciphers for inbound SSL (HTTPS and FTPS) connections with the Server. For the procedure for configuring SSL on EFT, refer to Enabling SSL on the Server.
EFT validates inbound SSL sessions, and allows or denies connections based on ciphers specified on the Server's Security tab. During SSL negotiation, the connecting (inbound) SSL client is allowed to select its preferred combination from the specified list.
|
|
EFT provides two options for specifying ciphers: Select from list (the default) or Manually specify. Each is described below:
Select from list—A point-and-click cipher selection list box interface. If Select from list is used to specify more than one approved cipher, and the connecting client has in its list one or more ciphers that are also on EFT’s approved list, EFT selects and uses the cipher based on ordering (priority) shown in the list box. You can change the priority by clicking the up and down arrows to the right of list.
If Select from list is selected (selected by default), you can choose one or more ciphers available from the OpenSSL library installed with EFT. At least one check box must be selected.
Versions |
Select from list |
OpenSSL Name |
TLS 1.0, SSL3.0 |
AES 256 bit4 |
AES256-SHA |
TLS 1.0, SSL3.0 |
Camellia 256 bit4 |
CAMELLIA256-SHA |
TLS 1.0, SSL3.0 |
3DES 168 bit4 |
DES-CBC3-SHA |
TLS 1.0, SSL3.0 |
AES 128 bit4 |
AES128-SHA |
TLS 1.0, SSL3.0 |
IDEA 128 bit |
IDEA-CBC-SHA |
TLS 1.0, SSL3.0, SSL2.0 |
RC4 128 bit |
RC4-MD5-128 |
TLS 1.0, SSL3.0 |
Export (40-56 bit)5 |
EXP1024-RC4-SHA - 56 bits1 |
TLS 1.0, SSL3.0 |
Export (40-56 bit)5 |
EXP1024-DES-CBC-SHA - 56 bits1 |
TLS 1.0, SSL3.0 |
Export (40-56 bit)5 |
EXP-DES-CBC-SHA - 40 bits2 |
TLS 1.0, SSL3.0, SSL2.0 |
Export (40-56 bit)5 |
EXP-RC2-CBC-MD5 - 40 bits2 |
TLS 1.0, SSL3.0, SSL2.0 |
Export (40-56 bit)5 |
EXP-RC4-MD5 - 40 bits2 |
Notes:
All 56-bit export ciphers require an SSL certificate with an asymmetric key that is 1024 or fewer
These 40-bit export ciphers require an SSL certificate with an asymmetric RSA key that is 512 bits.
These three TLS ciphers are the only supported inbound ciphers when FIPS-SSL mode is enabled. Refer to FIPS-Certified Library for SSL Connections for details.
These ciphers use Kx=RSA, Au=RSA; the HMAC is MD5 for RCA and Export; all other ciphers use SHA1.
Export is NOT selected by default.
Manually specify ciphers—A more powerful string-based cipher selection interface that uses the parameterized cipher string (Manually specify ciphers) for creating an ordered SSL cipher preference list per http://www.openssl.org/docs/apps/ciphers.html. If Manually specify ciphers is used, than the cipher negotiation will use the ordering defined by the user in the cipher string (for example @STRENGTH) or, if no ordering was defined, the default ordering.
When Manually specify ciphers is selected, the Select from list box is disabled, and the advanced ciphers string list is used. In the Manually specify ciphers box, provide a string that will be passed directly to the SSL library.
For example:
ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH
or
ALL:!ADH:HIGH:@STRENGTH
Each cipher is separated by a colon and can be preceded by the characters !, -, or +.
! (exclamation point) = the ciphers that follow are not to be used
+ (plus sign) = the ciphers are moved to the end of the list
If none of these characters is used, then the string is interpreted as a list of ciphers to be used.
@STRENGTH can be used at any point to sort the current cipher list in order of encryption algorithm key length.
To exclude 0-bit ciphers, do not use COMPLEMENTOFALL; use !NULL
Use ALL:!EXPORT:!LOW to exclude 40- and 56-bit ciphers, as shown in the table below.
Use ALL:COMPLEMENTOFALL to allow all off the supported ciphers, as shown in the table below.
Refer to The OpenSSL ciphers page for details of cipher strings, including examples.
EFT validates the cipher string against the SSL library once when Apply is clicked or if the user clicks away from the Security tab. If the string is faulty, EFT returns an error indicating that it failed and the failure reason, if available. After the prompt appears and you click OK or Cancel, the prompt closes, but does not clear out the cipher box in case you want to refine it, if needed. Changes cannot be applied until the string is valid. (Or you can go back to Select from list, then click Apply.)
The table below lists ciphers, sorted by key length, that are supported when manually specified in the administration interface or in the COM API using ICIServer::CipherList. Larger-bit keys offer a greater level of security.
Version |
ALL:COMPLEMENTOFALL includes these ciphers: |
ALL:!EXPORT:!LOW includes these ciphers: |
Key Length |
TLSv1, SSLv3 |
AES256-SHA3 |
AES256-SHA3 |
256 bits |
TLSv1, SSLv3 |
CAMELLIA256-SHA3 |
CAMELLIA256-SHA3 |
256 bits |
TLSv1, SSLv3 |
DES-CBC3-SHA3 |
DES-CBC3-SHA3 |
168 bits |
SSLv2 |
DES-CBC3-MD5 |
DES-CBC3-MD5 |
168 bits |
TLSv1, SSLv3 |
CAMELLIA128-SHA |
CAMELLIA128-SHA |
128 bits |
TLSv1, SSLv3 |
AES128-SHA |
AES128-SHA |
128 bits |
TLSv1, SSLv3 |
IDEA-CBC-SHA |
IDEA-CBC-SHA |
128 bits |
TLSv1, SSLv3 |
RC4-SHA |
RC4-SHA |
128 bits |
TLSv1, SSLv3, SSLv2 |
RC4-MD5 |
RC4-MD5 |
128 bits |
SSLv2 |
IDEA-CBC-MD5 |
IDEA-CBC-MD5 |
128 bits |
SSLv2 |
RC2-CBC-MD5 |
RC2-CBC-MD5 |
128 bits |
SSLv2 |
DES-CBC-MD5 |
|
56 bits |
TLSv1, SSLv3 |
DES-CBC-SHA |
|
56 bits |
TLSv1, SSLv3 |
EXP1024-RC4-SHA1 |
|
56 bits |
TLSv1, SSLv3 |
EXP1024-DES-CBC-SHA 1 |
|
56 bits |
TLSv1, SSLv3, SSLv2 |
EXP-RC2-CBC-MD52 |
|
40 bits |
TLSv1, SSLv3, SSLv2 |
EXP-RC4-MD52 |
|
40 bits |
TLSv1, SSLv3 |
NULL-SHA |
|
0 bits |
TLSv1, SSLv3 |
NULL-MD5 |
|
0 bits |
Notes:
The 56-bit Export ciphers require an SSL certificate with an asymmetric key that is 1024 or fewer.
The 40-bit Export ciphers require an SSL certificate with an asymmetric RSA key that is 512 bits.
These ciphers are the only supported inbound ciphers when FIPS-SSL mode is enabled. Refer to FIPS-Certified Library for SSL Connections for details.