calc2014

@"ivodlouhy"Thanks, we appreciate your help with this and look forward to the update over the next few days. I'd just like to be really clear about how important it is that the password migration is seamless when the user logs in either by web client or automated means such as SFTP/FTP/FTPS. Please see my original post…

Thank you for this detailed information dougpapenthien. Does disabling the AES ciphers have potential compatability issues? I dont know much about all this but I have seen a lot of browsers choose AES ciphers. bshopp do you know roughly when we can expect a fix? You mentioned an RC, is this something I can install?

No worries - this will be really useful for people, thanks for posting the full command you used.

I have disabled any CBC ciphers and SSLv2 which makes my SSL settings look like this.. However, the security check still fails and says the service is vulnerable to POODLE. bshopp can you please explain to us what needs to be done here?

Yes, exactly that! I've never seen anything like it. All independent, all at the same time. This made me think it was something serv-u and time/date specific?

Thanks bshopp​, looking forward to the fix - we will test for you as soon as you send it over.

I'm not sure if the link is unique per email address as a I dont use this functionality, but you could raise it as a feature request or ask support if there is a way to do it.

@"ivodlouhy"Ok, however in many many cases it is policy not to allow many users to change the password of accounts to avoid them taking control of an account that may be used for a process, automated or otherwise. This is why the limit/setting settings in Serv-U to give admins that control to stop users breaking things. We…

I also tried to disable the two ciphers you mentioned previously (“RC4-SHA” and “RC4-MD5”) and the Qualys check said it was still vulnerable?

bshopp I have now seen the official Solarwinds recommendations for this. Please see my comments in bold, please let us know your responses. thanks. • Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate the issue. Currently no option to disabled 3.0. Please can you explain exactly what…

Thats an interesting solution. Does that mean you have to create those accounts (with some random complex password), add them to a group and the block all IPs? The issue I can think of with this though is that they can still then try other user accounts/usernames on the same server without being blocked. So it only really…

This should cover it for you.. http://www.serv-u.com/kb/2160/Information-About-Passing-Command-Line-Parameters-to-External-Applications

@"ivodlouhy"Great, did these get added in v15.2 from the roadmap?

@"ivodlouhy"Any news on this? More users asking for support for modern ciphers as services like Azure SFTP do not support Diffie-Hellman Group 1 SHA1 by default, so they cannot connect to Serv-U.

Any update on this ivodlouhy​? It basically means no one has been able to do multiple file uploads in the Web Client since April if they dont have admin rights to change their Java settings. Thanks.

I see! Its rather suprising and more an accident we found this. However, it is not a fix for our end users - any ideas?

Thanks for you reply. They are on separate VMs on separate hosts and no other issue like this has occoured with other software. Actually, all of the VM was running fine apart from Serv-U's leak. Our monitoring showed no gradual incline, they ALL just went bang at that time. It's a real mystery!

I agree with @josh.d, it sounds like you traffic may be going on a long trip and you're just seeing more of an effect in Serv-U. On an internet network I would expect to see more than 20MB/s for HTTP on the same subnet.

Hi trininox​ you preempted my next question! bshopp​ please can you let us know when can we expect a hotfix to upgrade the OpenSSL in Serv-U to avoid the issue above?

Following on from josh.d‌'s suggestion, there is an event called 'User Added' which you can define within the Domain's Event tab... "User Added - Triggered by the creation of a user account by a remote adminsitrator, in an ODBC database, or in the local Management Console." http://www.serv-u.com/kb/2056/ServU-Event-Details…

Thanks for the update ivodlouhy​, disabling PASV isnt possible for most users who have automated processes or end users without support. Looking forward to the patch

We have narrowed this down for you and it appears to be a bug where any file LESS than 101KB will not upload. A 100KB file will not upload (no such file error), a 101KB file will upload successfully. Please confirm you get the same results in your lab. bshopp​ This has been raised with support but needs escalating for an…

Please can we have an update on this bshopp it is a really urgent issue affecting all users.

Can you confirm if you have been able to replicate the issue as above?

Thanks @"ivodlouhy" - if anyone is reading this, this is resolved in 15.2.1 which is announced here: https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Serv-U-FTP-Server-and-Serv-U-MFT-Server-version-15-2-1-are-now/m-p/596282

Version 14.0.2 and 14.0.1 are available in the Solarwinds Customer Portal under Downloads > Download a Product

Ah ok, where are you seeing that information?

Ok @"ivodlouhy" we really hoped it would be in 15.2 but we will wait for the update. One reason it is important is that the SFTP connector on Microsoft Azure requires it and many people use that now and for this reason it is not compatible with Serv-U by default at present.

@"ivodlouhy"Thanks for the update, it is very very important that this is a seamless transition to the new password encryption method, as descbied in my post here.. https://thwack.solarwinds.com/t5/Serv-U-FTP-Server-MFT-Server/Serv-U-15-2-Forced-Password-change-for-ALL-accounts-entirely/m-p/595394/ For it to work for your…

@"ivodlouhy"Thank you for the info and look forward to the update. This also impacts users who access via the web client but do not have "Allow user to change password" limit/setting set. By default in Serv-U this was not on in previous versions so this apply to nearly all users. The other consideration with the above is…