THE INFORMATION IN THIS ARTICLE APPLIES TO:
NOTE: This registry setting is disabled as of EFT v7.3.7. This setting has been migrated to the EFT administration interface for EFT v7.3.7 and later. Diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha1 are disabled by default. Refer to "Configuring SFTP for a Site" in the EFT help documentation for your version of EFT for details of specifying SFTP advanced security options.
DISCUSSION
In EFT version 7.2.1 -v7.3.6, the Diffie-Hellman-group1-sha1 KEX for SFTP is disabled by default to protect against the LOGJAM attack. Enabling the Diffie-Hellman-group1-sha1 KEX (with the LOGJAM vulnerability) will cause EFT to be non-compliant in PCI DSS v3.1 compliance scans. The DWORD value below is set to 0 (disabled) by default.
You can override the protection and enable the Diffie-Hellman-group1-sha1 KEX for SFTP to allow client compatibility (at the expense of being vulnerable to the LOGJAM attack and being non-compliant with PCI DSS v3.1 and later), by creating or editing the registry setting below and setting the DWORD value to 1 (enabled).
Create the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.2
Value name: SFTPEnableGroup1Kex
- Default Value: 0
- 0 = Disabled
- 1 = Enabled
- Cached: yes
- Backup/Restore: yes
MORE INFORMATION
The following external articles might also be helpful: