I have a web application that is hosted on Microsoft Azure Web-Role. How can I disable RC4 cipher?
Asked
Active
Viewed 2,735 times
9
-
Why disable it? Some major vulnerability? – sharptooth Apr 24 '15 at 11:50
-
@sharptooth Yes, RC4 cipher is weak. – Mahmoud Samy May 24 '15 at 15:51
-
1Try this script: https://gist.github.com/sidshetye/29d6d48dfa0c2f5488a4 which addresses the security stuff and also the PowerShell problem. – Rory Jun 28 '15 at 19:32
4 Answers
9
The problem I encountered using a Powershell script was that the keys that require modifying contain a forward slash and Powershell treats this as a path separator and the script fails.
The solution was to create a console application and set that to run at start up:
class Program
{
static void Main(string[] args)
{
string[] subKeys = new string[]
{
"RC4 40/128",
"RC4 56/128",
"RC4 64/128",
"RC4 128/128",
};
RegistryKey parentKey = Registry.LocalMachine.OpenSubKey(
@"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", true);
foreach (string keyName in subKeys)
{
var newKey = parentKey.CreateSubKey(keyName);
newKey.SetValue("Enabled", 0);
newKey.Close();
}
parentKey.Close();
}
}
Copy the output file (DisableRc4.exe in my case) to the root of the webrole and set to Copy Always
Create a file DisableRc4.cmd containing
.\DisableRc4.exe
EXIT /B 0
Update ServiceDefinition.csdef for your web role as follows
<Startup>
<Task commandLine="DisableRc4.cmd" executionContext="elevated" taskType="simple" />
</Startup>
I verified RC4 support was removed using https://www.ssllabs.com/ssltest/index.html
Before startup modified
After
sharptooth
- 167,383
- 100
- 513
- 979
Alex S
- 1,576
- 3
- 18
- 21
-
your code and explanation is quite good but in my case there is an error reading the Registry: "Requested registry access is not allowed". It didn't happen to you? – nrod Oct 06 '15 at 10:27
-
No, never had that issue. Do you have `executionContext="elevated"` in the startup? – Alex S Oct 06 '15 at 10:31
-
1
-
I got a successful deploy in TEST but no SSL. In PROD it did not work. No errors but no practical effects as well. The empty .cmd was not the reason. I have to keep digging... – nrod Oct 06 '15 at 19:53
-
1As smarks noted on startup files: "Be sure to create it [cmd file] with notepad or another ASCII text editor… batch files created in Visual Studio seem to have a byte order mark at the top that makes them fail when executed." – Bern Dec 08 '15 at 15:09
1
SSL 3.0 is disabled in PaaS Guest OS images after the January release. See http://azure.microsoft.com/en-us/documentation/articles/cloud-services-guestos-update-matrix/ for more info.
Why do you think SSL 3.0 is still enabled?
kwill
- 10,867
- 1
- 28
- 26
-
-
1@m.samy Then you should update your question, or close this one and ask a new one. – BenV Apr 21 '15 at 18:55
-
You can use the script at http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/ to enable or disable whichever cipher suites you choose. – kwill Apr 21 '15 at 22:30
-
But I still do not see rc4 cipher suite disabled by default on my web role instances. – Ognyan Dimitrov May 07 '15 at 08:53
1
Last week there was a blog post update which will disable RC4 cypher by default on cloud services. https://azure.microsoft.com/en-us/blog/azure-services-ssl-tls-cipher-suite-update-and-removal-of-rc4/
This update should be rolling out this month and if the operating system version is configured as automatic it will be automatically installed on the cloud service(see image below)
Next guest OS: WA-GUEST-OS-4.31_201604-01
Release date: May 2 2016
wagner
- 11
- 2
0
I see few of us discussing about Powershell and issue using forward "/" in script, but the below solves the problem. It works.
([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')
