Forum Discussion

Goldz_180077's avatar
Goldz_180077
Icon for Nimbostratus rankNimbostratus
May 31, 2016

How to disable RC4 Cipher on SSL

Hi team,   Can you help us to disable RC4 Cipher on SSL. Big-IP Version 11.5   Thanks!   Goldz  
application delivery
LTM
jaikumar_f5's avatar
jaikumar_f5
Icon for MVP rankMVP

RC4 was recommended to be disabled many years back. Guess in 2015 due to many vulnerabilities and AES alone is encouraged. RC4 is a considered insecure for modern app and many organizations by default have RC4 disabled. 

 

So in short, unless you have a very old legacy application which relies on RC4, one doesn't have to worry. 

Azim_IIPL's avatar
Azim_IIPL
Icon for Cirrus rankCirrus
Nov 12, 2024

 

Hi  jaikumar_f5  can you please 

 

One more query how can verify we are not disabled RC4 in the ciphers list..

 

following is the output of our appliances

 

list /sys httpd ssl-ciphersuite sys httpd { ssl-sslciphersuite "ALL" }

 

ltm cipher group IS-recommend-Cipher { allow { ECDHE-RSA-CHACHA20-POLY1305-SHA256 { } ECDHE-RSA-AES256-GCM-SHA384 { } ECDHE-RSA-AES128-GCM-SHA256 { } ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 { } ECDHE-ECDSA-AES256-GCM-SHA384 { } ECDHE-ECDSA-AES128-GCM-SHA256 { } DHE-RSA-AES256-GCM-SHA384 { } DHE-RSA-AES128-GCM-SHA256 { }

 

show /ltm cipher rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ltm::Cipher::Rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name                        Result
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
f5-aes                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDH-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDH-ECDSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-DSS-AES128-GCM-SHA256/TLS1.2:DHE-DSS-AES256-GCM-SHA384/TLS1.2:ADH-AES128-GCM-SHA256/TLS1.2:ADH-AES256-GCM-SHA384/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.0:ECDH-RSA-AES128-SHA/TLS1.1:ECDH-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.0:ECDH-RSA-AES256-SHA/TLS1.1:ECDH-RSA-AES256-SHA/TLS1.2:AES128-SHA/SSLv3:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-SHA/SSLv3:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDH-ECDSA-AES128-SHA/TLS1.0:ECDH-ECDSA-AES128-SHA/TLS1.1:ECDH-ECDSA-AES128-SHA/TLS1.2:ECDH-ECDSA-AES128-SHA256/TLS1.2:ECDH-ECDSA-AES256-SHA/TLS1.0:ECDH-ECDSA-AES256-SHA/TLS1.1:ECDH-ECDSA-AES256-SHA/TLS1.2:ECDH-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-SHA/SSLv3:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-SHA/SSLv3:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-DSS-AES128-SHA/SSLv3:DHE-DSS-AES128-SHA/TLS1.0:DHE-DSS-AES128-SHA/TLS1.1:DHE-DSS-AES128-SHA/TLS1.2:DHE-DSS-AES128-SHA/DTLS1.0:DHE-DSS-AES128-SHA256/TLS1.2:DHE-DSS-AES256-SHA/SSLv3:DHE-DSS-AES256-SHA/TLS1.0:DHE-DSS-AES256-SHA/TLS1.1:DHE-DSS-AES256-SHA/TLS1.2:DHE-DSS-AES256-SHA/DTLS1.0:DHE-DSS-AES256-SHA256/TLS1.2:ADH-AES128-SHA/SSLv3:ADH-AES128-SHA/TLS1.0:ADH-AES256-SHA/SSLv3:ADH-AES256-SHA/TLS1.0
f5-default                  ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
f5-ecc                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.0:ECDHE-RSA-DES-CBC3-SHA/TLS1.1:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.0:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.1:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.2
f5-hw_keys                  ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:AES256-SHA/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:DHE-RSA-DES-CBC3-SHA/TLS1.2:ECDH-RSA-DES-CBC3-SHA/TLS1.2:DES-CBC3-SHA/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES128-SHA/TLS1.2:RC4-SHA/TLS1.2:RC4-MD5/TLS1.2:DHE-RSA-DES-CBC-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.2
f5-secure                   ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
f5-quic                     TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DHE-RSA-AES128-GCM-SHA256   DHE-RSA-AES128-GCM-SHA256/TLS1.2
DHE-RSA-AES256-GCM-SHA384   DHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256 ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

 

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Nov 12, 2024

    The list sys httpd is the GUI part, which maps the settings of configuration utility. You can restrict the ciphers for GUI as well. Since it says All instead of DEFAULT, I'd presume based on the f5 versions openssl library, all the ciphers maybe included. The easy way to test and know would to run a sslscan against the management ip on port 443.

     

    Now coming to cipher suites or cipher group, beginning in v11.6, RC4 is disabled by default due to it's vulnerabilities. But as mentioned before, if there's a requirement to have RC4 enabled, one can explicitly mention it. Same way, often organizations make sure explicit disable is mentioned in cipher suites to be positive they are not enabled by mistake too. 

     

    Please refer - https://my.f5.com/manage/s/article/K16864

     

    If you using "IS-recommend-Cipher" Cipher group, you then got AES & CHACHA20 encryption algo's, not RC4.