VSFTPD specific ciphers

Question

I am looking for a way to define custom cipher suite for VSFTPD on Ubuntu server.

I found that I can specify ciphers via HIGH/MEDIUM/LOW. However, this is not enough for me, since I need to configure ciphers all manually.

Is there a way to do this?

Have you seen my answer below, which actually answers your question? — Vlastimil Burián, Jan 18 '20 at 07:42

score 4 · Accepted Answer · answered Oct 22 '15 at 19:32

from vsftpd.conf manual I can read

ssl_ciphers
              This option can be used to select which SSL ciphers vsftpd  will
              allow  for  encrypted  SSL connections. See the ciphers man page
              for further details. Note that restricting ciphers can be a use‐
              ful  security precaution as it prevents malicious remote parties
              forcing a cipher which they have found problems with.

              Default: DES-CBC3-SHA

Then if I check the manual of ciphers (part of openssl) it gives all the type of ciphers you can use. Actually LOW/MEDIUM/HIGH are defined like this

HIGH
    "high" encryption cipher suites. This currently means those with key lengths larger than 128
           bits, and some cipher suites with 128-bit keys.

MEDIUM
    "medium" encryption cipher suites, currently some of those using 128 bit encryption.

LOW 
    "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but
           excluding export cipher suites.

So basicall you can use any of the cipher strings specified in ciphers manual.

This is not answer to my question. I asked how to configure ciphers toally manually like in Apache. — Vilican, Oct 23 '15 at 08:48
This is my answer. It's totally like in apache. I just gave more details about high medium and low variables. — Pierre-Alain TORET, Oct 23 '15 at 10:44
If it is, you ceartinly didn't mention it. Example what I want: allow just EECDH+AESGCM and nothing other. — Vilican, Oct 23 '15 at 11:40
Yes then you just put these in ssl_ciphers. Like you would do in apache. They're both based on openssl syntax. That's what i'm saying when i say read ciphers manual. — Pierre-Alain TORET, Oct 23 '15 at 12:24

Vlastimil Burián · Answer 2 · 2020-01-17T10:50:26.550

Recently, I found out, it is entirely possible to define custom ciphers; take this example:

## Select which SSL ciphers `vsftpd` will allow for encrypted SSL connections (required by FileZilla).
ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

Further, not that the OP had asked, but I feel I could share another security possibility.

That being enabling only TLSv1.2 and TLSv1.3. This can be achieved with:

## The following might look strange as
## it does not seem to allow any protocol;
## But it does allow TLSv1.2 + TLSv1.3.

# disallow SSLv2 protocol
ssl_sslv2=NO
# disallow SSLv3 protocol
ssl_sslv3=NO
# disallow TLSv1.0+TLSv1.1 protocols
ssl_tlsv1=NO

In the end, I recommend testing your config for instance on ImmuniWeb, where you could easily debug your configuration.

This is just a sample:

VSFTPD specific ciphers

2 Answers2