Disable RC4 in A10

Product Discussions ADC - Application Delivery
1

How can we disable rc4 in A10?
There is no option of RC4 in cipher template.
Can I do something like this?
DEFAULT:!RC4:!SSLv3:!SSLv2:!TLSv1
If yes, where to add this?
Thanks in advance!

2

Within the cipher template, only ciphers which are added will be offered for negotiation. If you exclude the RC4 ciphers from the template, this effectively disables RC4. Attached is the supported ciphers list.

A10-Thunder-SSL_Cipher_List_05122020.pdf (267 KB)

3

Thanks for your response.
If I don’t select any specific cipher template in the client-ssl, does it mean it will present all the ciphers in this list to the user?
Interestingly, I tested a VIP in ssllabs and could see that RC4 is enabled for TLS 1.2 1.1 and 1.0 as well, but when I see the list of ciphers it presents while creating a new cipher template, there is no cipher with RC4 in it…

4

That is curious. Yes, if no ciphers are specified, then the default should be all ciphers which the device supports.
What version of ACOS are you running? Would you like to share your cipher & client-ssl template here?

5

version 4.1.1-P6, build 62 (Nov-10-2017,20:11)

there is no cipher template attached to this client-ssl template.
when I test this VIP in ssllabs, I see this:
TLS_RSA_WITH_RC4_128_SHA (0x5)  INSECURE
==========================
This is but I get when I try to create a new cipher template: But I don’t see so many Ciphers in the GUI. Interestingly, the cipher shown above is not in the below list. I am curious from where is it coming and how to disable RC4 in all the protocols.

A10(config)#slb template cipher test6
A10(config-cipher)#?
 clear                Clear or Reset Functions
 do                  To run exec commands in config mode
 end                 Exit from configure mode
 exit                 Exit from configure mode or sub mode
 no                  Negate a command or set its defaults
 show                 Show Running System Information
 user-tag               Customized tag
 write                Write Configuration
 SSL3_RSA_DES_192_CBC3_SHA      SSL3_RSA_DES_192_CBC3_SHA
 SSL3_RSA_RC4_128_MD5         SSL3_RSA_RC4_128_MD5
 SSL3_RSA_RC4_128_SHA         SSL3_RSA_RC4_128_SHA
 TLS1_RSA_AES_128_SHA         TLS1_RSA_AES_128_SHA
 TLS1_RSA_AES_256_SHA         TLS1_RSA_AES_256_SHA
 TLS1_RSA_AES_128_SHA256       TLS1_RSA_AES_128_SHA256
 TLS1_RSA_AES_256_SHA256       TLS1_RSA_AES_256_SHA256
 TLS1_DHE_RSA_AES_128_GCM_SHA256   TLS1_DHE_RSA_AES_128_GCM_SHA256
 TLS1_DHE_RSA_AES_128_SHA       TLS1_DHE_RSA_AES_128_SHA
 TLS1_DHE_RSA_AES_128_SHA256     TLS1_DHE_RSA_AES_128_SHA256
 TLS1_DHE_RSA_AES_256_GCM_SHA384   TLS1_DHE_RSA_AES_256_GCM_SHA384
 TLS1_DHE_RSA_AES_256_SHA       TLS1_DHE_RSA_AES_256_SHA
 TLS1_DHE_RSA_AES_256_SHA256     TLS1_DHE_RSA_AES_256_SHA256
 TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256 TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256
 TLS1_ECDHE_ECDSA_AES_128_SHA     TLS1_ECDHE_ECDSA_AES_128_SHA
 TLS1_ECDHE_ECDSA_AES_128_SHA256   TLS1_ECDHE_ECDSA_AES_128_SHA256
 TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384 TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384
 TLS1_ECDHE_ECDSA_AES_256_SHA     TLS1_ECDHE_ECDSA_AES_256_SHA
 TLS1_ECDHE_RSA_AES_128_GCM_SHA256  TLS1_ECDHE_RSA_AES_128_GCM_SHA256
 TLS1_ECDHE_RSA_AES_128_SHA      TLS1_ECDHE_RSA_AES_128_SHA
 TLS1_ECDHE_RSA_AES_128_SHA256    TLS1_ECDHE_RSA_AES_128_SHA256
 TLS1_ECDHE_RSA_AES_256_GCM_SHA384  TLS1_ECDHE_RSA_AES_256_GCM_SHA384
 TLS1_ECDHE_RSA_AES_256_SHA      TLS1_ECDHE_RSA_AES_256_SHA
 TLS1_RSA_AES_128_GCM_SHA256     TLS1_RSA_AES_128_GCM_SHA256
 TLS1_RSA_AES_256_GCM_SHA384     TLS1_RSA_AES_256_GCM_SHA384
 TLS1_ECDHE_RSA_AES_256_SHA384    TLS1_ECDHE_RSA_AES_256_SHA384
 TLS1_ECDHE_ECDSA_AES_256_SHA384   TLS1_ECDHE_ECDSA_AES_256_SHA384
A10(config-cipher)#

slb template client-ssl *.xxx
 chain-cert godaddy_bundle-CA-G2 
 cert xxx
 client-certificate Ignore 
 forward-proxy-verify-cert-fail-action drop 
 forward-proxy-cert-revoke-action bypass 
 forward-proxy-cert-unknown-action bypass 
 forward-proxy-hash-persistence-interval 30 
 forward-proxy-ssl-version 33 
 forward-proxy-cert-cache timeout 3600 
 forward-proxy-cert-cache limit 524288 
 forward-proxy-cert-not-ready-action bypass 
 key xxx 
 session-cache-size 0 
 session-cache-timeout 0 
 session-ticket-lifetime 0 
 version 33 32 
!

6

I do see the confusion around that cipher. I also can find no reference of it in the supported cipher list or in the configuration options.
My recommendation would be to configure a cipher template and bind that to the client-ssl template. You already have “version” configured, so adding the cipher template should produce the desired results.