I also need to disable weak SSH algorithm and enable TLS1.2 supported protocols for SSH.
admin, prefs, sftp port, ssh tab, ciphers allows you to control that.
admin, prefs, encryption, ssl allows you to restrict the TLS versions. Do not remove "SSLv2Hello" as its not a real protocol, but generally required.
You need Java 8 too for TLS 1.2 to work.
just dragging this one up again, can you post a list of all the available ciphers and MAC algorithms that are supported in Crush? (7.3 is the version we are on)
I would like to restrict some of the weaker ones, but there are not many left using the out of the box config we have when i take away CBC and 96bit etc, so I assume some stronger are ciphers are now available out of the box?
There is no point in doing any restriction in your version. You're vulnerable to other more important SFTP issues. Security isn't a pick and choose...either you stay current and are safe from all known issues, or you stay behind and are vulnerable to potentially many issues. Changing a cipher makes things a little more secure...but you have other gaping holes that can only be fixed by updating and staying current.
Thanks for the update Ben
we are not publishing the WebUI at all so not concerned with the holes that may be in that, but if a version upgrade is required before we can get any further info on acceptable SSH ciphers to use I will upgrade to the latest version and come back to this
The holes aren't in the WebUI. The holes are in the SSH protocol. So upgrading is required.