Cannot upload access logs from ProxySG appliance to vsftpd FTPS server
Article ID: 169658
Updated On:
Products
Issue/Introduction
In rare cases, access log uploads might fail if the vsftpd FTPS server is configured with weak ciphers.
Cause
An incompatibility exists between SGOS 6.7.2 and older versions of vsftpd FTPS server that use weak ciphers
Resolution
To work around this issue, add ssl_ciphers=High to the configuration file (VSFTPD.CONF) to force vsftps to use high-encryption ciphers.
If you cannot make changes to vsftpd, determine which low-encryption cipher(s) used in vsftpd can be enabled in the appliance's default SSL device profile; the appliance and vsftpd are likely to have DES-CBC3-SHA in common. The following is an example of using CLI commands to enable DES-CBC3-SHA:
#(config ssl)edit ssl-device-profile default
#(config device-profile default)cipher-suite
Cipher# Use Description Strength
------- --- --------------------------- --------
1 yes ECDHE-RSA-AES256-SHA384 High
2 yes ECDHE-RSA-AES128-SHA256 High
3 yes ECDHE-RSA-AES256-GCM-SHA384 High
4 yes ECDHE-RSA-AES128-GCM-SHA256 High
5 yes ECDHE-RSA-AES128-SHA High
6 yes ECDHE-RSA-AES256-SHA High
7 no ECDHE-RSA-RC4-SHA Medium
8 yes AES128-SHA256 High
9 yes AES256-SHA256 High
10 yes AES128-GCM-SHA256 High
11 yes AES256-GCM-SHA384 High
12 yes AES128-SHA Medium
13 yes AES256-SHA High
14 yes DHE-RSA-AES128-SHA High
15 yes DHE-RSA-AES256-SHA High
16 yes DHE-RSA-AES128-GCM-SHA256 High
17 yes DHE-RSA-AES256-GCM-SHA384 High
18 no DES-CBC3-SHA Low
19 no RC4-SHA Medium
20 no RC4-MD5 Medium
21 no DES-CBC-SHA Low
Select cipher numbers to use, separated by commas: 1,2,3,4,5,6,8,9,10,11,12,13,14,15,16,17,18
Refer to the Command Line Interface Reference for details.
Feedback
