Optional Support for Legacy Insecure Ciphers for SFTP
Files.com supports modern, secure SFTP encryption algorithms by default, requiring all inbound SFTP connections to use only secure ciphers. Enabling insecure SFTP ciphers allows clients to negotiate legacy algorithms with known weaknesses.
This setting applies to all inbound SFTP connections; you cannot limit this setting to specific users or ciphers.
This feature exists only for legacy compatibility. Do not enable it for general use. Enable it only when a required client cannot negotiate modern ciphers.
Avoiding Use of This Setting
We strongly recommend not using this setting. Use of known insecure and weak ciphers is dangerous because users can mistakenly assume the connection is strongly encrypted.
Use of these settings will make your site ineligible for our HIPAA BAA program.
The best way to avoid the need for these settings is to ask all your clients, vendors, or counterparties to upgrade to the latest version of any app they are using.
Another course of action is to have users try to switch between FTPS (FTP with TLS encryption) instead of SFTP. In many systems, support for TLS-based security is stronger than SFTP-based security.
When You Would Use This Setting
Enable legacy cipher support when a third-party SFTP client fails to connect because it only supports deprecated SSH encryption algorithms. This is common with older embedded systems, legacy enterprise software, and outdated integration tools.
Before enabling this setting, update the client software whenever possible. Upgrading the client is the preferred and safer solution.
Security Implications
Enabling legacy cipher support allows SFTP sessions to negotiate encryption algorithms that are considered cryptographically weak or deprecated. Although encryption remains in place, the strength of that encryption may not meet modern security standards.
When this setting is enabled:
- The connection may use weaker encryption than expected.
- The overall security posture of your Files.com site is reduced.
- Your site becomes ineligible for participation in the Files.com HIPAA Business Associate Agreement (BAA) program.
If your organization operates in a regulated environment, you must evaluate the compliance implications before enabling this setting.
Determining Which Ciphers Are Being Used
Before enabling legacy cipher support, determine which encryption algorithms your clients are currently negotiating. Files.com provides reporting that shows which ciphers are being used by SFTP connections to your site.
This report allows you to identify clients that are already using modern secure algorithms and isolate those that rely on legacy ciphers. In many cases, only a small number of outdated systems require legacy support.
Reviewing this report before enabling legacy cipher support helps you make an informed decision and limit unnecessary risk.
How Cipher Negotiation Works
SFTP uses the SSH protocol. Files.com follows RFC4253, section 7.1 when negotiating SFTP algorithms. During the initial handshake, the client and server negotiate encryption algorithms before user authentication occurs. At that stage, the server does not know which user is connecting.
Because encryption is negotiated before authentication:
- Cipher policies cannot be enforced per user.
- Cipher restrictions apply sitewide.
- The server selects the strongest mutually supported algorithm.
Even when legacy support is enabled, Files.com prioritizes modern secure algorithms if the client supports them. Weaker algorithms are used only when the client does not offer stronger alternatives.
Algorithms Enabled by This Setting
When legacy cipher support is enabled, the following algorithms become available for negotiation.
The list includes both modern secure algorithms and legacy algorithms that are considered weak or deprecated.
| Type | Algorithms |
|---|---|
| Key Exchange |
|
| Server Host Key Algorithms |
|
| Encryption |
|
| MAC |
|
Some of the algorithms in this list are widely considered insecure by modern cryptographic standards. Enabling this setting allows clients to request those algorithms during negotiation.
No Per-User or Per-Cipher Controls
Cipher policies cannot be restricted to individual users or specific folders. Because encryption negotiation occurs before authentication, the same policy applies to all SFTP connections to the site.
If you require strict cryptographic controls with no support for legacy algorithms, leave this setting disabled.
Allow Weak Diffie-Hellman Parameters for SFTP
Files.com provides a separate setting named Allow Weak Diffie-Hellman Parameters for SFTP. This setting expands compatibility by permitting weaker Diffie-Hellman key exchange parameters that some legacy clients require.
This option also reduces cryptographic strength and applies sitewide. It exists for compatibility with outdated systems and should only be enabled when necessary.
If you require broad client compatibility for migration purposes but want stronger encryption controls, consider using FTPS (FTP over TLS) instead, where cipher policies can be more tightly managed.
Recommended Approach
Enable legacy cipher support only when a business-critical integration cannot be upgraded. Document the reason for enabling it, and disable it as soon as the legacy client is replaced.
The preferred long-term configuration is to leave legacy cipher support disabled and require modern secure SFTP algorithms for all connections.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes