cindyfiller
asked on
Have disabled RC4 ciphers but report still shows I have week RC4 ciphers
I've changed the registry settings to disable RC4 ciphers according to various web sites including the following: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
However, whenever I run this test at Qualys: https://www.ssllabs.com/ssltest/ I'm still getting notified that I have weak RC4 ciphers. Specifically these are listed:
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)
How do I disable these specifically in the registry?
However, whenever I run this test at Qualys: https://www.ssllabs.com/ssltest/ I'm still getting notified that I have weak RC4 ciphers. Specifically these are listed:
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)
How do I disable these specifically in the registry?
trying using iiscrypto tool which read actual Windows SChannel setting
https://www.nartac.com/Products/IISCrypto
https://www.nartac.com/Products/IISCrypto
Also to completely disable in registry do make sure the below from MS
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\SCHAN NEL\Cipher s\RC4 128/128]
◦"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\SCHAN NEL\Cipher s\RC4 40/128]
◦"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\SCHAN NEL\Cipher s\RC4 56/128]
◦"Enabled"=dword:00000000
Note You must install this security update (2868725) before you make the following registry change to completely disable RC4.https://support.microsoft.com/en-us/kb/2868725
[HKEY_LOCAL_MACHINE\SYSTEM
◦"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
◦"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
◦"Enabled"=dword:00000000
ASKER
Yes I had restarted the server. I also tried to apply the patch listed above and it says it is not applicable to my computer. I assume that means I have it on there, but I can't find that specific update.
I have attached the 2 registry entries showing what I had done.
L--protocols.reg
L--ciphers.reg
I have attached the 2 registry entries showing what I had done.
L--protocols.reg
L--ciphers.reg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
suggest you try the iiscrypto tool.
Even the MS reference has TLS registry and not only sslv2 and sslv3
- check out https://support.microsoft.com/en-us/kb/245030
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
The tool can be tried out
Even the MS reference has TLS registry and not only sslv2 and sslv3
- check out https://support.microsoft.com/en-us/kb/245030
The client and server subkeys designate each protocol. You can disable a protocol for either the client or the server. However, disabling Ciphers, Hashes, or CipherSuites affects both client and server sides. You would have to create the necessary subkeys under the Protocols key to achieve this. For example:But specifically for SCHANNEL\Ciphers\RC4 128/128 subkey, it is to disable the below which there are the two surfaced in your case.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\SSL 2.0][HKEY_LOCAL_MACHINE\SY STEM\Curre ntControlS et\Control \SecurityP roviders\S channel\Pr otocols\SS L 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\SSL 2.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.1\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.1\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\C ontrol\Sec urityProvi ders\Schan nel\Protoc ols\TLS 1.2\Server]
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
The tool can be tried out
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to both of you! I really blew the cipher registry entries. I was manually typing them. I had found specifics on creating dwords for the protocols and assumed the ciphers were the same... of course they weren't. I have corrected those entries (imported the correct ones) and have added the other protocols
thanks for sharing
Export your HKEY_LOCAL_MACHINE\SYSTEM\