Articles and news
- 🗂 Categories
- 🔖 ftp (1)
- 🔖 infrastructure (3)
- 🔖 privacy (1)
- 🔖 compliance (1)
- 🔖 client-side (1)
- 🔖 general (84)
- 🔖 blog (6)
- 🔖 press (2)
- 🔖 australia (1)
- 🔖 client (17)
- 🔖 release (81)
- 🔖 article (14)
- 🔖 security (24)
- 🔖 server (19)
- 🗄 Archive
- 📌 2001 (3)
- 📌 2005 (1)
- 📌 2006 (1)
- 📌 2007 (1)
- 📌 2008 (1)
- 📌 2012 (1)
- 📌 2013 (3)
- 📌 2014 (13)
- 📌 2015 (20)
- 📌 2016 (23)
- 📌 2017 (14)
- 📌 2018 (38)
- 📌 2019 (17)
SFTPPlus Client 1.5.50 Release
Thu 23 October 2014 | general client
SFTPPlus Team is pleased to announce the latest release of SFTPPlus Client, version 1.5.50.
This version was released as a response to SSLv3 POODLE vulnerability.
In this release SSLv3 is disabled by default.
Support for SSLv3 can still be forced by using the useinsecuresslv3 configuration option.
For more details please see the full release notes.
SSLv3 POODLE vulnerability and SFTPPlus
Wed 22 October 2014 | security server client
Issue
In late September, a team at Google discovered a serious vulnerability in SSL 3.0, known as “POODLE”.
By exploiting this vulnerability, an attacker can gain access to data send over what is supposed to be a secured connection.
Affected protocols
SFTPPlus Server and Client are affected by SSLv3 POODLE vulnerability for FTPS, HTTPS protocols as well as for the HTTPS web based management tool.
SFTP and SCP protocols are not affected.
This is a design flaw within the SSLv3 protocol itself and is not related to SFTPPlus specific implementation or any other vendor’s implementation.
Solution for SFTPPlus Server
As a way to fix this you should disable SSLv3 protocol and only use TLSv1 for FTPS (explicit or implicit) and HTTPS protocols, including the Local Manager web based administration interface.
To disable SSLv3 in SFTPPlus Server this can be done using the ssl_allowed_methods = tlsv1 configuration options for all vulnerable protocols. For more details see ssl_allowed_methods documentation.
The default configuration options support both SSLv3 and TLSv1. SSLv2 was never enabled as the protocol was also proved vulnerable.
In case you still need to use SSLv3 you should disable the CBC based cipher suites. This means enabling only the RC4-SHA cipher as this is the only cipher not using CBC. To do this, set ssl_cipher_list = RC4-SHA . For more details see ssl_cipher_list documentation.
We will soon release a new version of SFTPPlus Server which will disable SSLv3 by default.
Solution for SFTPPlus Client
SFTPPlus Client can also be configured to only use RC4-SHA cipher using the ciphers = 'RC4-SHA' configuration. For more details see ciphers documentation.
We will soon release a new version of SFTPPlus Client which will disable SSLv3 by default.
SFTPPlus Server 2.7.0 Release
Thu 18 September 2014 | general server
SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.7.0.
This version improves the managed file transfer component of the server by adding support for calling external command for monitored paths.
The server now supports more FTP commands like SITE CHMOD. For backward compatibility we have introduced support for the obsolete FTP commands: XCUP, XCWD, XMKD, XPWD, XRMD
Ubuntu 14.04 LTS on X86_64 is now a supported platform.
For more details please see the full release notes.
New Website
Fri 08 August 2014 | general
We have launched a new website for supporting SFTPPlus products. It includes general product description and documentation as well as support and contact information.
SFTPPlus Server 2.6.0 Release
Fri 08 August 2014 | general server
SFTPPlus Team is pleased to announce the latest release of SFTPPlus Server, version 2.6.0.
This version adds support for monitoring paths on local file systems and record activity inside the audit trail and a report containing last login date for all accounts.
For more details please see the full release notes.