First, make sure you are running the latest Cerberus FTP Server release. The steps and guidance below only apply to the latest official release.
Researchers have recently uncovered several weaknesses in how Diffie-Hellman (DH) key exchange has been deployed. The Logjam vulnerability exploits these weaknesses to negotiate weak encryption when used with SSL that can be broken with common hardware available today.
Cerberus FTP Server allows administrators to supply their own DH parameter files for use in DH key exchange. The simple solution is to replace the lower strength 512 and 1024 bit files with 2048 bit primes. This will ensure that Cerberus FTP Server always supplies at least 2048 bit DH parameters for key exchange. To do this:
1. Delete the files:
C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh512.pem
C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh1024.pem
2. Make two copies of the file:
C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\dh2048.pem
and rename the two copies dh512.pem and dh1024.pem. These two files will replace the original lower strength DH prime files.
You must restart the Cerberus FTP Server Windows Service from the Services control panel for this change to take effect.
You should also upgrade your SSH2 SFTP clients to versions that support Elliptic-Curve Diffie-Hellman Key Exchange (ECDH). ECDH key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers and SFTP clients now prefer ECDHE over the original, finite field, Diffie-Hellman. Cerberus FTP Server has supported and preferred ECDH for several years so support is already present in the latest 6.0 and higher releases.
Comments
0 comments
Please sign in to leave a comment.