Hi team, Can you help us to disable RC4 Cipher on SSL. Big-IP Version 11.5 Thanks! Goldz

Hi, For example, You can configure the following cipher in your ssl profile : DEFAULT:!RC4

I have RC4 disabled but am still getting a grade of B running against qualys SSL server test: This server accepts RC4 cipher, but only with older clients. Grade capped to B. SSL profile setting = DEFAULT:!SSLv3:!TLSv1:!RC4:@STRENGTH Any feedback?

How to disable RC4 Cipher on SSL

8 Replies

Yann_Desmarest
Cirrus
May 31, 2016
Hi,

For example, You can configure the following cipher in your ssl profile :
DEFAULT:!RC4

jaikumar_f5

Noctilucent

May 31, 2016

Hope it helps.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm) create profile client-ssl No-RC4-clientssl defaults-from clientssl ciphers DEFAULT:!RC4
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm) list profile client-ssl No-RC4-clientssl 
ltm profile client-ssl No-RC4-clientssl {
    app-service none
    cert default.crt
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    chain none
    ciphers DEFAULT:!RC4
    defaults-from clientssl
    inherit-certkeychain true
    key default.key
    passphrase none
}

prt1969_120570
Nimbostratus
Dec 06, 2016
I have RC4 disabled but am still getting a grade of B running against qualys SSL server test: This server accepts RC4 cipher, but only with older clients. Grade capped to B.

SSL profile setting = DEFAULT:!SSLv3:!TLSv1:!RC4:@STRENGTH

Any feedback?

Azim_IIPL

Cirrus

Nov 12, 2024

Hi jaikumar_f5

Is there any impact if we are going to disable RC4 cipher, please your input is valuable

jaikumar_f5

Noctilucent

Nov 12, 2024

RC4 was recommended to be disabled many years back. Guess in 2015 due to many vulnerabilities and AES alone is encouraged. RC4 is a considered insecure for modern app and many organizations by default have RC4 disabled.

So in short, unless you have a very old legacy application which relies on RC4, one doesn't have to worry.

Azim_IIPL

Cirrus

Nov 12, 2024

Hi jaikumar_f5 can you please

One more query how can verify we are not disabled RC4 in the ciphers list..

following is the output of our appliances

list /sys httpd ssl-ciphersuite sys httpd { ssl-sslciphersuite "ALL" }

ltm cipher group IS-recommend-Cipher { allow { ECDHE-RSA-CHACHA20-POLY1305-SHA256 { } ECDHE-RSA-AES256-GCM-SHA384 { } ECDHE-RSA-AES128-GCM-SHA256 { } ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 { } ECDHE-ECDSA-AES256-GCM-SHA384 { } ECDHE-ECDSA-AES128-GCM-SHA256 { } DHE-RSA-AES256-GCM-SHA384 { } DHE-RSA-AES128-GCM-SHA256 { }

show /ltm cipher rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ltm::Cipher::Rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name                        Result
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
f5-aes                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDH-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDH-ECDSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-DSS-AES128-GCM-SHA256/TLS1.2:DHE-DSS-AES256-GCM-SHA384/TLS1.2:ADH-AES128-GCM-SHA256/TLS1.2:ADH-AES256-GCM-SHA384/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.0:ECDH-RSA-AES128-SHA/TLS1.1:ECDH-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.0:ECDH-RSA-AES256-SHA/TLS1.1:ECDH-RSA-AES256-SHA/TLS1.2:AES128-SHA/SSLv3:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-SHA/SSLv3:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDH-ECDSA-AES128-SHA/TLS1.0:ECDH-ECDSA-AES128-SHA/TLS1.1:ECDH-ECDSA-AES128-SHA/TLS1.2:ECDH-ECDSA-AES128-SHA256/TLS1.2:ECDH-ECDSA-AES256-SHA/TLS1.0:ECDH-ECDSA-AES256-SHA/TLS1.1:ECDH-ECDSA-AES256-SHA/TLS1.2:ECDH-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-SHA/SSLv3:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-SHA/SSLv3:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-DSS-AES128-SHA/SSLv3:DHE-DSS-AES128-SHA/TLS1.0:DHE-DSS-AES128-SHA/TLS1.1:DHE-DSS-AES128-SHA/TLS1.2:DHE-DSS-AES128-SHA/DTLS1.0:DHE-DSS-AES128-SHA256/TLS1.2:DHE-DSS-AES256-SHA/SSLv3:DHE-DSS-AES256-SHA/TLS1.0:DHE-DSS-AES256-SHA/TLS1.1:DHE-DSS-AES256-SHA/TLS1.2:DHE-DSS-AES256-SHA/DTLS1.0:DHE-DSS-AES256-SHA256/TLS1.2:ADH-AES128-SHA/SSLv3:ADH-AES128-SHA/TLS1.0:ADH-AES256-SHA/SSLv3:ADH-AES256-SHA/TLS1.0
f5-default                  ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
f5-ecc                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.0:ECDHE-RSA-DES-CBC3-SHA/TLS1.1:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.0:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.1:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.2
f5-hw_keys                  ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:AES256-SHA/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:DHE-RSA-DES-CBC3-SHA/TLS1.2:ECDH-RSA-DES-CBC3-SHA/TLS1.2:DES-CBC3-SHA/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES128-SHA/TLS1.2:RC4-SHA/TLS1.2:RC4-MD5/TLS1.2:DHE-RSA-DES-CBC-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.2
f5-secure                   ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
f5-quic                     TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DHE-RSA-AES128-GCM-SHA256   DHE-RSA-AES128-GCM-SHA256/TLS1.2
DHE-RSA-AES256-GCM-SHA384   DHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256 ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

Azim_IIPL
Cirrus
Nov 12, 2024
jaikumar_f5thank you for your prompt response

Forum Discussion

How to disable RC4 Cipher on SSL

8 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

dns express reboot gtm

Load balancing NTP Servers

APM Access Policy|SSLVPN | SAML auth questionnaires

Unable to install firmware OS and drop at 10%

Two Arm Deployment mode using PBR

Related Content

Disabling Weak Ciphers

Disable below cipher

Disabling Specific Weak Cipher Suites

Disabling Ciphers

Cipher Suite Practices and Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS