Hi team, Can you help us to disable RC4 Cipher on SSL. Big-IP Version 11.5 Thanks! Goldz

Hi, For example, You can configure the following cipher in your ssl profile : DEFAULT:!RC4

I have RC4 disabled but am still getting a grade of B running against qualys SSL server test: This server accepts RC4 cipher, but only with older clients. Grade capped to B. SSL profile setting = DEFAULT:!SSLv3:!TLSv1:!RC4:@STRENGTH Any feedback?

How to disable RC4 Cipher on SSL

Azim_IIPL
Cirrus
Nov 12, 2024
jaikumar_f5thank you for your prompt response

Azim_IIPL

Cirrus

Nov 12, 2024

Hi jaikumar_f5

Is there any impact if we are going to disable RC4 cipher, please your input is valuable

jaikumar_f5

MVP

Nov 12, 2024

RC4 was recommended to be disabled many years back. Guess in 2015 due to many vulnerabilities and AES alone is encouraged. RC4 is a considered insecure for modern app and many organizations by default have RC4 disabled.

So in short, unless you have a very old legacy application which relies on RC4, one doesn't have to worry.

Azim_IIPL

Cirrus

Nov 12, 2024

Hi jaikumar_f5 can you please

One more query how can verify we are not disabled RC4 in the ciphers list..

following is the output of our appliances

list /sys httpd ssl-ciphersuite sys httpd { ssl-sslciphersuite "ALL" }

ltm cipher group IS-recommend-Cipher { allow { ECDHE-RSA-CHACHA20-POLY1305-SHA256 { } ECDHE-RSA-AES256-GCM-SHA384 { } ECDHE-RSA-AES128-GCM-SHA256 { } ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 { } ECDHE-ECDSA-AES256-GCM-SHA384 { } ECDHE-ECDSA-AES128-GCM-SHA256 { } DHE-RSA-AES256-GCM-SHA384 { } DHE-RSA-AES128-GCM-SHA256 { }

show /ltm cipher rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ltm::Cipher::Rule
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name                        Result
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
f5-aes                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDH-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDH-ECDSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-DSS-AES128-GCM-SHA256/TLS1.2:DHE-DSS-AES256-GCM-SHA384/TLS1.2:ADH-AES128-GCM-SHA256/TLS1.2:ADH-AES256-GCM-SHA384/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.0:ECDH-RSA-AES128-SHA/TLS1.1:ECDH-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.0:ECDH-RSA-AES256-SHA/TLS1.1:ECDH-RSA-AES256-SHA/TLS1.2:AES128-SHA/SSLv3:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-SHA/SSLv3:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDH-ECDSA-AES128-SHA/TLS1.0:ECDH-ECDSA-AES128-SHA/TLS1.1:ECDH-ECDSA-AES128-SHA/TLS1.2:ECDH-ECDSA-AES128-SHA256/TLS1.2:ECDH-ECDSA-AES256-SHA/TLS1.0:ECDH-ECDSA-AES256-SHA/TLS1.1:ECDH-ECDSA-AES256-SHA/TLS1.2:ECDH-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-SHA/SSLv3:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-SHA/SSLv3:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-DSS-AES128-SHA/SSLv3:DHE-DSS-AES128-SHA/TLS1.0:DHE-DSS-AES128-SHA/TLS1.1:DHE-DSS-AES128-SHA/TLS1.2:DHE-DSS-AES128-SHA/DTLS1.0:DHE-DSS-AES128-SHA256/TLS1.2:DHE-DSS-AES256-SHA/SSLv3:DHE-DSS-AES256-SHA/TLS1.0:DHE-DSS-AES256-SHA/TLS1.1:DHE-DSS-AES256-SHA/TLS1.2:DHE-DSS-AES256-SHA/DTLS1.0:DHE-DSS-AES256-SHA256/TLS1.2:ADH-AES128-SHA/SSLv3:ADH-AES128-SHA/TLS1.0:ADH-AES256-SHA/SSLv3:ADH-AES256-SHA/TLS1.0
f5-default                  ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.0:DHE-RSA-CAMELLIA128-SHA/TLS1.1:DHE-RSA-CAMELLIA128-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.0:DHE-RSA-CAMELLIA256-SHA/TLS1.1:DHE-RSA-CAMELLIA256-SHA/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
f5-ecc                      ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.0:ECDHE-RSA-DES-CBC3-SHA/TLS1.1:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.0:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.1:ECDHE-ECDSA-DES-CBC3-SHA/TLS1.2
f5-hw_keys                  ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA/TLS1.2:ECDH-RSA-AES256-GCM-SHA384/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:AES256-SHA/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:DHE-RSA-DES-CBC3-SHA/TLS1.2:ECDH-RSA-DES-CBC3-SHA/TLS1.2:DES-CBC3-SHA/TLS1.2:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES128-GCM-SHA256/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES128-SHA/TLS1.2:RC4-SHA/TLS1.2:RC4-MD5/TLS1.2:DHE-RSA-DES-CBC-SHA/TLS1.2:DHE-RSA-CAMELLIA256-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.2:DHE-RSA-CAMELLIA128-SHA/TLS1.2
f5-secure                   ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/DTLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/DTLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3:TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
f5-quic                     TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DHE-RSA-AES128-GCM-SHA256   DHE-RSA-AES128-GCM-SHA256/TLS1.2
DHE-RSA-AES256-GCM-SHA384   DHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256 ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

prt1969_120570
Nimbostratus
Dec 06, 2016
I have RC4 disabled but am still getting a grade of B running against qualys SSL server test: This server accepts RC4 cipher, but only with older clients. Grade capped to B.

SSL profile setting = DEFAULT:!SSLv3:!TLSv1:!RC4:@STRENGTH

Any feedback?

jaikumar_f5

MVP

May 31, 2016

Hope it helps.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm) create profile client-ssl No-RC4-clientssl defaults-from clientssl ciphers DEFAULT:!RC4
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm) list profile client-ssl No-RC4-clientssl 
ltm profile client-ssl No-RC4-clientssl {
    app-service none
    cert default.crt
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    chain none
    ciphers DEFAULT:!RC4
    defaults-from clientssl
    inherit-certkeychain true
    key default.key
    passphrase none
}

Yann_Desmarest
Cirrus
May 31, 2016
Hi,

For example, You can configure the following cipher in your ssl profile :
DEFAULT:!RC4

Forum Discussion

How to disable RC4 Cipher on SSL

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

Disabling Weak Ciphers

Disable below cipher

Disabling Specific Weak Cipher Suites

Disabling Ciphers

Cipher Suites Supported (12.1.5.3)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS