EFT Specifications

This topic is intended as a quick reference of EFT specifications. Information is provided in detail in the applicable procedures.

See also:

Item

Description

Protocols

FTP/S (SSL/TLS), SFTP (SSH2), HTTP/S, and AS2 (Certain protocols other than FTP require optional modules.)

  • FTP Commands Supported by EFT

  • The FTPS protocol in EFT is compliant with RFC4217, "Securing FTP with TLS."

  • EFT supports SFTP versions 2, 3, 4, and 6. The outbound client defaults to version 4, and it is not configurable through the GUI, but can be configured in advanced properties. The EFT outbound client negotiates the SFTP version with the receiving server during session establishment. That is, if the receiving server only supports version 2, EFT Server will negotiate down and operate at version 2.

  • SFTP hashing algorithms supported: For both FIPS and non-FIPS ciphers and algorithms, refer to SFTP FIPS.

SSH version

EFT v8.0 and later use v8.1.0.0_openssh library, including OpenSSH DLLs for FIPS
EFT's SFTP library implementation is based on the latest (8.1) version of OpenSSH portable: https://github.com/PowerShell/openssh-portable, which is a fork of https://github.com/openssh/openssh-portable, which in turn is a fork of the canonical OpenSSH. EFT will be updated once the fork that EFT is using is updated to 8.2, 8.3, or newer version. Also note that the EFT implementation contains some modified OpenSSH files, modified via use of a Fedora patch, for purposes of FIPS certification when FIPS mode is enabled.

SSL version

EFT v8.0.6 and later use OpenSSL v1.1.1k; EFT v8.0.4 and later use OpenSSL v1.0.2u (dated December 20, 2019), SSL.dll and SSLfips.dll; EFT v8.0.0 - v8.0.3 use OpenSSL v1.0.2t; TLSv1.2 is set by default. For best security, clear versions that you do not need enabled; do not enable SSLv3 ciphersuites (See FIPS description below.)

FIPS

EFT uses the FIPS Object Module; https://csrc.nist.gov/publications/detail/fips/140/2/final; https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2839; (In addition to the validations of the OpenSSL FIPS Object Module 2.0 obtained directly by OpenSSL, third-party vendors have obtained additional "re-brand" validations of the same cryptographic module. #2939 is referenced to show all of the algorithms covered.)

  • OpenSSL v1.0.2 is FIPS-certified, but does not support TLS 1.3. EFT uses v1.0.2 for SFTP in FIPS and non-FIPS mode because SFTP doesn't care about TLS version

    OpenSSL v1.1.1 has no FIPS module, but supports TLS 1.3; EFT uses it in non-FIPS mode to support TLS 1.3

SSL Certificate Key lengths supported

Key lengths supported: 1024, 2048, 3072, and 4096 bits

EFT-created SSL certificates

x.509 base-64 standard DER encoded

Allowed OpenSSL ciphers for inbound transfers (HTTPS and FTPS)

Refer to the Server > Security tab for available ciphers.

Authentication types

Built-in, AD/NTLM, LDAP, ODBC, RADIUS, RSA SecurID®

Log formats

W3C, Microsoft IIS, and NCSA

OpenPGP version

EFTv8.0.5 uses IP*Works! OpenPGP2020 v20.0 build 7525 components for secure OpenPGP messaging and advanced encryption/decryption (http://cdn.nsoftware.com/help/IGB/cpp/) and is RFC 4880 compliant.

PCI DSS

EFT facilitates compliance with PCI DSS version 3.x.

AS2 module

EFT uses /n software's EDI Integrator library components, which are in the core of an application called RSSBus. RSSBus is Drummond Certified and in compliance with RFC4130. (EFT itself is not Drummond certified.) The maximum inbound file size for AS2 transfers is 20GB; there is no limit on outbound file size.

Advanced Workflow Engine (AWE) version

EFT v8 uses Automate Desktop v10.7.100 Build 4 Task Builder and actions

ICAP/Content Integrity Control

EFT supports RFC3507, sections 3.2 and 4.9. EFT supports: draft-stecher-icap-subid-00 section 4.5 and 4.6.

EFT Outlook Add-In library EFT v8.0.6 and later use Apache log4net v2.0.12