Disable RC4 in A10

How can we disable rc4 in A10?

There is no option of RC4 in cipher template.

Can I do something like this?

DEFAULT:!RC4:!SSLv3:!SSLv2:!TLSv1

If yes, where to add this?

Thanks in advance!

Comments

  • mdunnmdunn Member

    Within the cipher template, only ciphers which are added will be offered for negotiation. If you exclude the RC4 ciphers from the template, this effectively disables RC4. Attached is the supported ciphers list.

  • kakumakukakumaku Member

    Thanks for your response.

    If I don't select any specific cipher template in the client-ssl, does it mean it will present all the ciphers in this list to the user?

    Interestingly, I tested a VIP in ssllabs and could see that RC4 is enabled for TLS 1.2 1.1 and 1.0 as well, but when I see the list of ciphers it presents while creating a new cipher template, there is no cipher with RC4 in it....

  • mdunnmdunn Member

    That is curious. Yes, if no ciphers are specified, then the default should be all ciphers which the device supports.

    What version of ACOS are you running? Would you like to share your cipher & client-ssl template here?

  • kakumakukakumaku Member

    version 4.1.1-P6, build 62 (Nov-10-2017,20:11)

    ======================

    there is no cipher template attached to this client-ssl template.

    when I test this VIP in ssllabs, I see this:

    TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE

    ==========================

    This is but I get when I try to create a new cipher template: But I don't see so many Ciphers in the GUI. Interestingly, the cipher shown above is not in the below list. I am curious from where is it coming and how to disable RC4 in all the protocols.


    A10(config)#slb template cipher test6

    A10(config-cipher)#?

     clear                Clear or Reset Functions

     do                  To run exec commands in config mode

     end                 Exit from configure mode

     exit                 Exit from configure mode or sub mode

     no                  Negate a command or set its defaults

     show                 Show Running System Information

     user-tag               Customized tag

     write                Write Configuration

     SSL3_RSA_DES_192_CBC3_SHA      SSL3_RSA_DES_192_CBC3_SHA

     SSL3_RSA_RC4_128_MD5         SSL3_RSA_RC4_128_MD5

     SSL3_RSA_RC4_128_SHA         SSL3_RSA_RC4_128_SHA

     TLS1_RSA_AES_128_SHA         TLS1_RSA_AES_128_SHA

     TLS1_RSA_AES_256_SHA         TLS1_RSA_AES_256_SHA

     TLS1_RSA_AES_128_SHA256       TLS1_RSA_AES_128_SHA256

     TLS1_RSA_AES_256_SHA256       TLS1_RSA_AES_256_SHA256

     TLS1_DHE_RSA_AES_128_GCM_SHA256   TLS1_DHE_RSA_AES_128_GCM_SHA256

     TLS1_DHE_RSA_AES_128_SHA       TLS1_DHE_RSA_AES_128_SHA

     TLS1_DHE_RSA_AES_128_SHA256     TLS1_DHE_RSA_AES_128_SHA256

     TLS1_DHE_RSA_AES_256_GCM_SHA384   TLS1_DHE_RSA_AES_256_GCM_SHA384

     TLS1_DHE_RSA_AES_256_SHA       TLS1_DHE_RSA_AES_256_SHA

     TLS1_DHE_RSA_AES_256_SHA256     TLS1_DHE_RSA_AES_256_SHA256

     TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256 TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256

     TLS1_ECDHE_ECDSA_AES_128_SHA     TLS1_ECDHE_ECDSA_AES_128_SHA

     TLS1_ECDHE_ECDSA_AES_128_SHA256   TLS1_ECDHE_ECDSA_AES_128_SHA256

     TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384 TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384

     TLS1_ECDHE_ECDSA_AES_256_SHA     TLS1_ECDHE_ECDSA_AES_256_SHA

     TLS1_ECDHE_RSA_AES_128_GCM_SHA256  TLS1_ECDHE_RSA_AES_128_GCM_SHA256

     TLS1_ECDHE_RSA_AES_128_SHA      TLS1_ECDHE_RSA_AES_128_SHA

     TLS1_ECDHE_RSA_AES_128_SHA256    TLS1_ECDHE_RSA_AES_128_SHA256

     TLS1_ECDHE_RSA_AES_256_GCM_SHA384  TLS1_ECDHE_RSA_AES_256_GCM_SHA384

     TLS1_ECDHE_RSA_AES_256_SHA      TLS1_ECDHE_RSA_AES_256_SHA

     TLS1_RSA_AES_128_GCM_SHA256     TLS1_RSA_AES_128_GCM_SHA256

     TLS1_RSA_AES_256_GCM_SHA384     TLS1_RSA_AES_256_GCM_SHA384

     TLS1_ECDHE_RSA_AES_256_SHA384    TLS1_ECDHE_RSA_AES_256_SHA384

     TLS1_ECDHE_ECDSA_AES_256_SHA384   TLS1_ECDHE_ECDSA_AES_256_SHA384

    A10(config-cipher)#

    ======================

    slb template client-ssl *.xxx

     chain-cert godaddy_bundle-CA-G2 

     cert xxx

     client-certificate Ignore 

     forward-proxy-verify-cert-fail-action drop 

     forward-proxy-cert-revoke-action bypass 

     forward-proxy-cert-unknown-action bypass 

     forward-proxy-hash-persistence-interval 30 

     forward-proxy-ssl-version 33 

     forward-proxy-cert-cache timeout 3600 

     forward-proxy-cert-cache limit 524288 

     forward-proxy-cert-not-ready-action bypass 

     key xxx 

     session-cache-size 0 

     session-cache-timeout 0 

     session-ticket-lifetime 0 

     version 33 32 

    !

    =======================

  • mdunnmdunn Member

    I do see the confusion around that cipher. I also can find no reference of it in the supported cipher list or in the configuration options.

    My recommendation would be to configure a cipher template and bind that to the client-ssl template. You already have "version" configured, so adding the cipher template should produce the desired results.

Sign In or Register to comment.