I have a web application that is hosted on Microsoft Azure Web-Role. How can I disable RC4 cipher?
Last week there was a blog post update which will disable RC4 cypher by default on cloud services. https://azure.microsoft.com/en-us/blog/azure-services-ssl-tls-cipher-suite-update-and-removal-of-rc4/
This update should be rolling out this month and if the operating system version is configured as automatic it will be automatically installed on the cloud service(see image below)
Next guest OS: WA-GUEST-OS-4.31_201604-01
Release date: May 2 2016
Operation system version configuration
I see few of us discussing about Powershell and issue using forward "/" in script, but the below solves the problem. It works.
([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')
SSL 3.0 is disabled in PaaS Guest OS images after the January release. See http://azure.microsoft.com/en-us/documentation/articles/cloud-services-guestos-update-matrix/ for more info.
Why do you think SSL 3.0 is still enabled?
The problem I encountered using a Powershell script was that the keys that require modifying contain a forward slash and Powershell treats this as a path separator and the script fails.
The solution was to create a console application and set that to run at start up:
class Program
{
static void Main(string[] args)
{
string[] subKeys = new string[]
{
"RC4 40/128",
"RC4 56/128",
"RC4 64/128",
"RC4 128/128",
};
RegistryKey parentKey = Registry.LocalMachine.OpenSubKey(
@"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", true);
foreach (string keyName in subKeys)
{
var newKey = parentKey.CreateSubKey(keyName);
newKey.SetValue("Enabled", 0);
newKey.Close();
}
parentKey.Close();
}
}
Copy the output file (DisableRc4.exe in my case) to the root of the webrole and set to Copy Always
Create a file DisableRc4.cmd containing
.\DisableRc4.exe
EXIT /B 0
Update ServiceDefinition.csdef for your web role as follows
<Startup>
<Task commandLine="DisableRc4.cmd" executionContext="elevated" taskType="simple" />
</Startup>
I verified RC4 support was removed using https://www.ssllabs.com/ssltest/index.html
Before startup modified
After