How to disable RC4 cipher on Azure Web Roles

前端 未结 4 964
情书的邮戳
情书的邮戳 2021-01-05 00:05

I have a web application that is hosted on Microsoft Azure Web-Role. How can I disable RC4 cipher?

相关标签:
4条回答
  • 2021-01-05 00:56

    Last week there was a blog post update which will disable RC4 cypher by default on cloud services. https://azure.microsoft.com/en-us/blog/azure-services-ssl-tls-cipher-suite-update-and-removal-of-rc4/

    This update should be rolling out this month and if the operating system version is configured as automatic it will be automatically installed on the cloud service(see image below)

    Next guest OS: WA-GUEST-OS-4.31_201604-01
    Release date: May 2 2016

    Operation system version configuration

    0 讨论(0)
  • 2021-01-05 00:56

    I see few of us discussing about Powershell and issue using forward "/" in script, but the below solves the problem. It works.

    ([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128') 
    
    0 讨论(0)
  • 2021-01-05 00:57

    SSL 3.0 is disabled in PaaS Guest OS images after the January release. See http://azure.microsoft.com/en-us/documentation/articles/cloud-services-guestos-update-matrix/ for more info.

    Why do you think SSL 3.0 is still enabled?

    0 讨论(0)
  • 2021-01-05 01:01

    The problem I encountered using a Powershell script was that the keys that require modifying contain a forward slash and Powershell treats this as a path separator and the script fails.

    The solution was to create a console application and set that to run at start up:

    class Program
    {
        static void Main(string[] args)
        {
            string[] subKeys = new string[]
            {
                "RC4 40/128",
                "RC4 56/128",
                "RC4 64/128",
                "RC4 128/128",
            };
    
            RegistryKey parentKey = Registry.LocalMachine.OpenSubKey(
                @"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", true);
    
            foreach (string keyName in subKeys)
            {
                var newKey = parentKey.CreateSubKey(keyName);
                newKey.SetValue("Enabled", 0);
                newKey.Close();
            }
            parentKey.Close();
        }
    }
    

    Copy the output file (DisableRc4.exe in my case) to the root of the webrole and set to Copy Always

    Create a file DisableRc4.cmd containing

    .\DisableRc4.exe
    EXIT /B 0
    

    Update ServiceDefinition.csdef for your web role as follows

    <Startup>
        <Task commandLine="DisableRc4.cmd" executionContext="elevated" taskType="simple" />
    </Startup>
    

    I verified RC4 support was removed using https://www.ssllabs.com/ssltest/index.html

    Before startup modified Before startup cmd

    After After startup cmd

    0 讨论(0)
提交回复
热议问题