Search

GlobalSCAPE Knowledge Base

Enable or Disable Diffie-Hellman-group1-sha1 KEX for SFTP

Karla Marsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.2.1 - v7.3.6

NOTE: This registry setting is disabled as of EFT v7.3.7. This setting has been migrated to the EFT administration interface for EFT v7.3.7 and later. Diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha1 are disabled by default. Refer to "Configuring SFTP for a Site" in the EFT help documentation for details of specifying SFTP advanced security options:

For EFT v7.3.7: http://help.globalscape.com/help/eft7-3/#t=mergedProjects%2Feft%2FConfiguring_SFTP_for_a_Site.htm 

DISCUSSION

In EFT version 7.2.1 -v7.3.6, the Diffie-Hellman-group1-sha1 KEX for SFTP is disabled by default to protect against the LOGJAM attack. Enabling the Diffie-Hellman-group1-sha1 KEX (with the LOGJAM vulnerability) will cause EFT to be non-compliant in PCI DSS v3.1 compliance scans. The DWORD value below is set to 0 (disabled) by default.

You can override the protection and enable the Diffie-Hellman-group1-sha1 KEX for SFTP to allow client compatibility (at the expense of being vulnerable to the LOGJAM attack and being non-compliant with PCI DSS v3.1 and later), by creating or editing the registry setting below and setting the DWORD value to 1 (enabled).

Create the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.2

  • Type: DWORD

Value name: SFTPEnableGroup1Kex

  • Default Value: 0
  • 0 = Disabled
  • 1 = Enabled
  • Cached: yes
  • Backup/Restore: yes

MORE INFORMATION

The following external articles might also be helpful:

Details
Last Modified: 2 Years Ago
Last Modified By: kmarsh
Type: HOWTO
Rated 2 stars based on 16 votes.
Article has been viewed 39K times.
Options
Also In This Category