On Tue, Jan 25, 2011 at 9:29 AM, Kevin Bombino <[email protected]> wrote: > We recently deployed Apache FTP Server in a small production environment. > It's causing our PCI Compliance scan to send us a security warning because > it supports SSL connections via "weak ciphers". I found the > "enabled-ciphersuites" configuration directive but am not exactly clear on > how it should be set. Can someone point me to an example as to how to > either enable just TLSv1 or disable low/medium cipher strengths?
You need to list the desired cipher suites as per what your JRE supports. In the case of for example Sun JRE 1.5, you can find the list here: http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA (scroll down a bit) This list differs somewhat between JREs so look up the correct implementation. As for which cipher suites to enable, you have to look into your PCI compliance requirements. /niklas
