Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
+1 vote
303 views
in edtFTPj by (170 points)
recategorized by

We have customers configuring MAC algorithms to hmac-sha2-256-etm@openssh.com or hmac-sha2-512-etm@openssh.com, but edtFTPj/PRO doesn't yet support these.

It appears from the OpenSSH specs https://www.openssh.com/specs.html that OpenSSH have defined a bunch of enhanced security specifications, which are now in common use.

Credible security recommendations such as Tenable are now listing two out of four recommended MAC settings as OpenSSH specs:  https://www.tenable.com/audits/items/CIS_Ubuntu_18.04_LTS_Server_v2.1.0_L1.audit:2dbcde6bce31fd58c2ebd4a19427cef6. 

I don't think these MAC and crypto features are individually particularly complicated to implement, but need to be supported to maintain parity with customer security expectations.

When is EDT planning to add support for these?

1 Answer

+1 vote
by (162k points)
selected by
 
Best answer
We normally don't support vendor-specific ciphers and MACs, but these ones are certainly quite widespread. I've added them as a feature request.
by (100 points)
Hello,
These algorithms are still not available on V12.1.1 EdtFtpNetPro.
Could you please tell us if this update is planned for a future version and provide us a expected date of availability?
Regards
by (162k points)
We're currently relooking at these. The main issue for us is that these are vendor-specific algorithms and are not defined in an RFC anywhere.
by (290 points)
Hello,

Just to follow up on this feature request. We have customers who wants to connect to AWS FTP but is unable to as edt does not support OpenSSH macs.

AWS Supported algorithms: https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

Normally, one can ask if the third party can use a 'lower' security requirement, but it reflects negatively to the product and in turn to library (edt) that we are slow to support these changes. This is an issue, if the vendor only wants to use the latest algorithms.
by (162k points)
We've been slow to implement these algorithms because they are non-standard - there's never been an RFC written to define them and they are vendor-specific.

However, because AWS has chosen to use only these MACs, we've decided to implement them. They were added to edtFTPnet/PRO in the last release, and they will be added to edtFTPj/PRO asap - within a couple of weeks.

Categories

...