The strongest SSL/TLS configuration
How to achieve, and even exceed, FIPS 140-2/-3 compliance on all Syncplify Server! TLS protocol handlers
This article complements the one we wrote some time ago about achieving the strongest security posture for the SSH (SFTP, SCP, …) protocol family.
Syncplify Server! uses SSL/TLS based protocol handlers in three subsystems:
Its own management web UIs (Admin UI and SuperAdmin UI)
The FTPS/FTPES protocol handler
The HTTPS protocol handler (aka WebClient!)
Customers often ask how to achieve, or even exceed, the security requirements set forth by regulations like FIPS 140 (/2 and /3). The answer is all about configuration.
You want to achieve an sslscan
result like the one in this picture here below on all three of the endpoints listed above:
In order to do so, you will have to configure the TLS settings in three different places. Here below we will show you where and how.
For the SuperAdmin and Admin UIs
The TLS configuration used by Syncplify Server! to run its own SuperAdmin and Admin UIs can be found in the SuperAdmin UI, under Globalconfig → Binding. To achieve the level of security shown here above, you want to configure it like this:
Please consider that for these changes to take effect, the ss6-webrest
system service must be restarted.
For the FTPS/FTPES protocol handler
The TLS settings used by and for the FTP(E/S) protocol handler are found in the Admin UI, under Security → FTP(E/S) → Advanced. Configure the following settings to achieve the above-mentioned security posture:
Please consider that for these changes to take effect, all of your ss6-wrk
system services must be restarted.
For the HTTPS protocol handler (WebClient! UI)
The TLS settings used by and for the FTP(E/S) protocol handler are found in the Admin UI, under Security → HTTPS/WebClient! → Advanced. Configure the following settings to achieve the above-mentioned security posture:
Please consider that for these changes to take effect, all of your ss6-wrk
system services must be restarted.
Conclusions and caveats
It is strongly recommended that you run your Syncplify Server! with an SSL/TLS configuration that meets or exceeds the requirements set forth in the FIPS 140 regulation, this will ensure a higher degree of safety for your secure file transfer server and services.
The only caveat (if we can call it a caveat) is that a few older client softwares may not support strong enough SSL/TLS cipher suites to connect to your secure server; In that case, please, bear in mind that lowering your server’s security is a last resort and is never a good idea. In this edge case, the best course of action is always to upgrade the client software to a more secure version of itself.