Cannot upload access logs from ProxySG appliance to vsftpd FTPS server

book

Article ID: 169658

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In rare cases, access log uploads might fail if the vsftpd FTPS server is configured with weak ciphers.

Cause

An incompatibility exists between SGOS 6.7.2 and older versions of vsftpd FTPS server that use weak ciphers.

Resolution

To work around this issue, add ssl_ciphers=High to the configuration file (VSFTPD.CONF) to force vsftps to use high-encryption ciphers.

If you cannot make changes to vsftpd, determine which low-encryption cipher(s) used in vsftpd can be enabled in the appliance's default SSL device profile; the appliance and vsftpd are likely to have DES-CBC3-SHA in common. The following is an example of using CLI commands to enable DES-CBC3-SHA:

#(config ssl)edit ssl-device-profile default

#(config device-profile default)cipher-suite

Cipher#  Use   Description                 Strength

-------  ---  ---------------------------  --------

      1  yes      ECDHE-RSA-AES256-SHA384      High

      2  yes      ECDHE-RSA-AES128-SHA256      High

      3  yes  ECDHE-RSA-AES256-GCM-SHA384      High

      4  yes  ECDHE-RSA-AES128-GCM-SHA256      High

      5  yes         ECDHE-RSA-AES128-SHA      High

      6  yes         ECDHE-RSA-AES256-SHA      High

      7   no            ECDHE-RSA-RC4-SHA    Medium

      8  yes                AES128-SHA256      High

      9  yes                AES256-SHA256      High

     10  yes            AES128-GCM-SHA256      High

     11  yes            AES256-GCM-SHA384      High

     12  yes                   AES128-SHA    Medium

     13  yes                   AES256-SHA      High

     14  yes           DHE-RSA-AES128-SHA      High

     15  yes           DHE-RSA-AES256-SHA      High

     16  yes    DHE-RSA-AES128-GCM-SHA256      High

     17  yes    DHE-RSA-AES256-GCM-SHA384      High

     18   no                 DES-CBC3-SHA       Low

     19   no                      RC4-SHA    Medium

     20   no                      RC4-MD5    Medium

     21   no                  DES-CBC-SHA       Low

Select cipher numbers to use, separated by commas:  1,2,3,4,5,6,8,9,10,11,12,13,14,15,16,17,18

Refer to the Command Line Interface Reference for details.