SSL/TLS and zFTPServer

From zFTPServer Wiki

A cipher is an algorithm for performing encryption or decryption - a series of well-defined steps that can be followed as a procedure. 

zFTPServer supports a large amount of different ciphers, see the bottom of this page for a complete list.


Changing ciphers

In this tutorial we will show you how to change the currently used ciphers, for this example i will be activating TLSv1.2 and deactivating all other ciphers that are activated by default.

- Stop the zFTPServer Service
- Browse to your zFTPServer installation directory
- Find and open the settings.ini file with your preferred text editor.
- Search for [FTPS Ciphers]
- Inbetween the quotation marks you can see your currently active ciphers, what we are going to do here is remove everything inside the quotation marks until we are left with "" 
- Now, input the cipher that you wish to use between the quotation marks, in this case i will be using RSA-AES256-SHA256 for TLSv1.2.
- You should now be left with "RSA-AES256-SHA256"
- Start the zFTPServer service
- You have now successfully activated your new ciphers.


Operating systems

Some operating systems may not have support for certain TLS/SSL ciphers, see the following for an idea of what works and what does not.

Windows Server 2003/XP - SSL 2.0/SSL 3.0/TLS 1.0

Windows Server 2008/Vista - SSL 2.0/SSL 3.0/TLS 1.0

Windows Server 2008 R2/7 - SSL 2.0/SSL 3.0/TLS 1.0/TLS 1.1/TLS 1.2


List of supported ciphers

Here is a complete list of ciphers that zFTPServer supports. // generic SSL/TLS ciphersuites

     'NULL-NULL-NULL',
     'RSA-NULL-MD5',
     'RSA-NULL-SHA',
     'RSA-RC4-MD5',
     'RSA-RC4-SHA',
     'RSA-RC2-MD5',
     'RSA-IDEA-MD5',
     'RSA-IDEA-SHA',
     'RSA-DES-MD5',
     'RSA-DES-SHA',
     'RSA-3DES-MD5',
     'RSA-3DES-SHA',
     'RSA-AES128-SHA',
     'RSA-AES256-SHA',
     'DH-DSS-DES-SHA',
     'DH-DSS-3DES-SHA',
     'DH-DSS-AES128-SHA',
     'DH-DSS-AES256-SHA',
     'DH-RSA-DES-SHA',
     'DH-RSA-3DES-SHA',
     'DH-RSA-AES128-SHA',
     'DH-RSA-AES256-SHA',
     'DHE-DSS-DES-SHA',
     'DHE-DSS-3DES-SHA',
     'DHE-DSS-AES128-SHA',
     'DHE-DSS-AES256-SHA',
     'DHE-RSA-DES-SHA',
     'DHE-RSA-3DES-SHA',
     'DHE-RSA-AES128-SHA',
     'DHE-RSA-AES256-SHA',
     'DH-ANON-RC4-MD5',
     'DH-ANON-DES-SHA',
     'DH-ANON-3DES-SHA',
     'DH-ANON-AES128-SHA',
     'DH-ANON-AES256-SHA',
     'RSA-RC2-MD5-EXPORT',
     'RSA-RC4-MD5-EXPORT',
     'RSA-DES-SHA-EXPORT',
     'DH-DSS-DES-SHA-EXPORT',
     'DH-RSA-DES-SHA-EXPORT',
     'DHE-DSS-DES-SHA-EXPORT',
     'DHE-RSA-DES-SHA-EXPORT',
     'DH-ANON-RC4-MD5-EXPORT',
     'DH-ANON-DES-SHA-EXPORT',


       // camellia ciphersuites
     'RSA-CAMELLIA128-SHA',
     'DH-DSS-CAMELLIA128-SHA'
     'DH-RSA-CAMELLIA128-SHA',
     'DHE-DSS-CAMELLIA128-SHA',
     'DHE-RSA-CAMELLIA128-SHA',
     'DH-ANON-CAMELLIA128-SHA',
     'RSA-CAMELLIA256-SHA',
     'DH-DSS-CAMELLIA256-SHA',
     'DH-RSA-CAMELLIA256-SHA',
     'DHE-DSS-CAMELLIA256-SHA',
     'DHE-RSA-CAMELLIA256-SHA',
     'DH-ANON-CAMELLIA256-SHA',

       // psk ciphersuites (rfc4279)
     'PSK-RC4-SHA',
     'PSK-3DES-SHA',
     'PSK-AES128-SHA',
     'PSK-AES256-SHA',
     'DHE-PSK-RC4-SHA',
     'DHE-PSK-3DES-SHA',
     'DHE-PSK-AES128-SHA',
     'DHE-PSK-AES256-SHA',
     'RSA-PSK-RC4-SHA',
     'RSA-PSK-3DES-SHA',
     'RSA-PSK-AES128-SHA',
     'RSA-PSK-AES256-SHA',
     'RSA-SEED-SHA',
     'DH-DSS-SEED-SHA',
     'DH-RSA-SEED-SHA',
     'DHE-DSS-SEED-SHA',
     'DHE-RSA-SEED-SHA',
     'DH-ANON-SEED-SHA',

       // SRP
     'SRP-SHA-3DES-SHA',
     'SRP-SHA-RSA-3DES-SHA',
     'SRP-SHA-DSS-3DES-SHA',
     'SRP-SHA-AES128-SHA',
     'SRP-SHA-RSA-AES128-SHA',
     'SRP-SHA-DSS-AES128-SHA',
     'SRP-SHA-AES256-SHA',
     'SRP-SHA-RSA-AES256-SHA',
     'SRP-SHA-DSS-AES256-SHA',

       // ECC
     'ECDH-ECDSA-NULL-SHA',
     'ECDH-ECDSA-RC4-SHA',
     'ECDH-ECDSA-3DES-SHA',
     'ECDH-ECDSA-AES128-SHA',
     'ECDH-ECDSA-AES256-SHA',
     'ECDHE-ECDSA-NULL-SHA',
     'ECDHE-ECDSA-RC4-SHA',
     'ECDHE-ECDSA-3DES-SHA',
     'ECDHE-ECDSA-AES128-SHA',
     'ECDHE-ECDSA-AES256-SHA',
     'ECDH-RSA-NULL-SHA',
     'ECDH-RSA-RC4-SHA',
     'ECDH-RSA-3DES-SHA',
     'ECDH-RSA-AES128-SHA',
     'ECDH-RSA-AES256-SHA',
     'ECDHE-RSA-NULL-SHA',
     'ECDHE-RSA-RC4-SHA',
     'ECDHE-RSA-3DES-SHA',
     'ECDHE-RSA-AES128-SHA',
     'ECDHE-RSA-AES256-SHA',
     'ECDH-ANON-NULL-SHA',
     'ECDH-ANON-RC4-SHA',
     'ECDH-ANON-3DES-SHA',
     'ECDH-ANON-AES128-SHA',
     'ECDH-ANON-AES256-SHA',

       // TLS 1.2 (RFC5246)
     'RSA-NULL-SHA256',
     'RSA-AES128-SHA256',
     'RSA-AES256-SHA256',
     'DH-DSS-AES128-SHA256',
     'DH-RSA-AES128-SHA256',
     'DHE-DSS-AES128-SHA256',
     'DHE-RSA-AES128-SHA256',
     'DH-DSS-AES256-SHA256',
     'DH-RSA-AES256-SHA256',
     'DHE-DSS-AES256-SHA256',
     'DHE-RSA-AES256-SHA256',
     'DH-ANON-AES128-SHA256',
     'DH-ANON-AES256-SHA256',

       // AES-GCM ciphers (RFC5288)
     'RSA-AES128-GCM-SHA256',
     'RSA-AES256-GCM-SHA384',
     'DHE-RSA-AES128-GCM-SHA256',
     'DHE-RSA-AES256-GCM-SHA384',
     'DH-RSA-AES128-GCM-SHA256',
     'DH-RSA-AES256-GCM-SHA384',
     'DHE-DSS-AES128-GCM-SHA256',
     'DHE-DSS-AES256-GCM-SHA384',
     'DH-DSS-AES128-GCM-SHA256',
     'DH-DSS-AES256-GCM-SHA384',
     'DH-ANON-AES128-GCM-SHA256',
     'DH-ANON-AES256-GCM-SHA384',

       // EC AES-GCM and SHA2 ciphers (RFC5289)
     'ECDHE-ECDSA-AES128-SHA256',
     'ECDHE-ECDSA-AES256-SHA384',
     'ECDH-ECDSA-AES128-SHA256',
     'ECDH-ECDSA-AES256-SHA384',
     'ECDHE-RSA-AES128-SHA256',
     'ECDHE-RSA-AES256-SHA384',
     'ECDH-RSA-AES128-SHA256',
     'ECDH-RSA-AES256-SHA384',
     'ECDHE-ECDSA-AES128-GCM-SHA256',
     'ECDHE-ECDSA-AES256-GCM-SHA384',
     'ECDH-ECDSA-AES128-GCM-SHA256',
     'ECDH-ECDSA-AES256-GCM-SHA384',
     'ECDHE-RSA-AES128-GCM-SHA256',
     'ECDHE-RSA-AES256-GCM-SHA384',
     'ECDH-RSA-AES128-GCM-SHA256',
     'ECDH-RSA-AES256-GCM-SHA384',

       // PSK AES-GCM and SHA2 ciphers (RFC5487)
     'PSK-AES128-GCM-SHA256',
     'PSK-AES256-GCM-SHA384',
     'DHE-PSK-AES128-GCM-SHA256',
     'DHE-PSK-AES256-GCM-SHA384',
     'RSA-PSK-AES128-GCM-SHA256',
     'RSA-PSK-AES256-GCM-SHA384',
     'PSK-AES128-SHA256',
     'PSK-AES256-SHA384',
     'PSK-NULL-SHA256',
     'PSK-NULL-SHA384',
     'DHE-PSK-AES128-SHA256',
     'DHE-PSK-AES256-SHA384',
     'DHE-PSK-NULL-SHA256',
     'DHE-PSK-NULL-SHA384',
     'RSA-PSK-AES128-SHA256',
     'RSA-PSK-AES256-SHA384',
     'RSA-PSK-NULL-SHA256',
     'RSA-PSK-NULL-SHA384',


       // camellia sha-2 ciphersuites (RFC 5932)
     'RSA-CAMELLIA128-SHA256',
     'DH-DSS-CAMELLIA128-SHA256',
     'DH-RSA-CAMELLIA128-SHA256',
     'DHE-DSS-CAMELLIA128-SHA256',
     'DHE-RSA-CAMELLIA128-SHA256',
     'DH-ANON-CAMELLIA128-SHA256',
     'RSA-CAMELLIA256-SHA256',
     'DH-DSS-CAMELLIA256-SHA256',
     'DH-RSA-CAMELLIA256-SHA256',
     'DHE-DSS-CAMELLIA256-SHA256',
     'DHE-RSA-CAMELLIA256-SHA256',
     'DH-ANON-CAMELLIA256-SHA256',


       // camellia EC, GCM and PSK ciphersuites (RFC 6367)
     'ECDHE-ECDSA-CAMELLIA128-SHA256',
     'ECDHE-ECDSA-CAMELLIA256-SHA384',
     'ECDH-ECDSA-CAMELLIA128-SHA256',
     'ECDH-ECDSA-CAMELLIA256-SHA384',
     'ECDHE-RSA-CAMELLIA128-SHA256',
     'ECDHE-RSA-CAMELLIA256-SHA384',
     'ECDH-RSA-CAMELLIA128-SHA256',
     'ECDH-RSA-CAMELLIA256-SHA384',
     'RSA-CAMELLIA128-GCM-SHA256',
     'RSA-CAMELLIA256-GCM-SHA384',
     'DHE-RSA-CAMELLIA128-GCM-SHA256',
     'DHE-RSA-CAMELLIA256-GCM-SHA384',
     'DH-RSA-CAMELLIA128-GCM-SHA256',
     'DH-RSA-CAMELLIA256-GCM-SHA384',
     'DHE-DSS-CAMELLIA128-GCM-SHA256',
     'DHE-DSS-CAMELLIA256-GCM-SHA384',
     'DH-DSS-CAMELLIA128-GCM-SHA256',
     'DH-DSS-CAMELLIA256-GCM-SHA384',
     'DH-anon-CAMELLIA128-GCM-SHA256',
     'DH-anon-CAMELLIA256-GCM-SHA384',
     'ECDHE-ECDSA-CAMELLIA128-GCM-SHA256',
     'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384',
     'ECDH-ECDSA-CAMELLIA128-GCM-SHA256',
     'ECDH-ECDSA-CAMELLIA256-GCM-SHA384',
     'ECDHE-RSA-CAMELLIA128-GCM-SHA256',
     'ECDHE-RSA-CAMELLIA256-GCM-SHA384',
     'ECDH-RSA-CAMELLIA128-GCM-SHA256',
     'ECDH-RSA-CAMELLIA256-GCM-SHA384',
     'PSK-CAMELLIA128-GCM-SHA256',
     'PSK-CAMELLIA256-GCM-SHA384',
     'DHE-PSK-CAMELLIA128-GCM-SHA256',
     'DHE-PSK-CAMELLIA256-GCM-SHA384',
     'RSA-PSK-CAMELLIA128-GCM-SHA256',
     'RSA-PSK-CAMELLIA256-GCM-SHA384',
     'PSK-CAMELLIA128-SHA256',
     'PSK-CAMELLIA256-SHA384',
     'DHE-PSK-CAMELLIA128-SHA256',
     'DHE-PSK-CAMELLIA256-SHA384',
     'RSA-PSK-CAMELLIA128-SHA256',
     'RSA-PSK-CAMELLIA256-SHA384',
     'ECDHE-PSK-CAMELLIA128-SHA256',
     'ECDHE-PSK-CAMELLIA256-SHA384',


       // ECDHE-PSK ciphersuites (RFC 5489)
     'ECDHE-PSK-RC4-SHA',
     'ECDHE-PSK-3DES-SHA',
     'ECDHE-PSK-AES128-SHA',
     'ECDHE-PSK-AES256-SHA',
     'ECDHE-PSK-AES128-SHA256',
     'ECDHE-PSK-AES256-SHA384',
     'ECDHE-PSK-NULL-SHA',
     'ECDHE-PSK-NULL-SHA256',
     'ECDHE-PSK-NULL-SHA384'
      // CHACHA20POLY1305
     'ECDHE-RSA-CHACHA20-POLY1305-SHA256',
     'ECDHE-ECDSA-CHACHA20-POLY1305-SHA256',
     'DHE-RSA-CHACHA20-POLY1305-SHA256'

Want more support?

Buy coupon tickets

“zFTPServer has provided Hartz a rock solid, robust and cost effective FTP solution for the last 2 years. I would be glad to serve as a reference for your product.”

– Jim Tooker, The Hartz Mountain Corporation