How to disable RC4 cipher on Azure Web Roles

Question

I have a web application that is hosted on Microsoft Azure Web-Role. How can I disable RC4 cipher?

Answer 1

The problem I encountered using a Powershell script was that the keys that require modifying contain a forward slash and Powershell treats this as a path separator and the script fails.

The solution was to create a console application and set that to run at start up:

class Program
{
    static void Main(string[] args)
    {
        string[] subKeys = new string[]
        {
            "RC4 40/128",
            "RC4 56/128",
            "RC4 64/128",
            "RC4 128/128",
        };

        RegistryKey parentKey = Registry.LocalMachine.OpenSubKey(
            @"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", true);

        foreach (string keyName in subKeys)
        {
            var newKey = parentKey.CreateSubKey(keyName);
            newKey.SetValue("Enabled", 0);
            newKey.Close();
        }
        parentKey.Close();
    }
}

Copy the output file (DisableRc4.exe in my case) to the root of the webrole and set to Copy Always

Create a file DisableRc4.cmd containing

.\DisableRc4.exe
EXIT /B 0

Update ServiceDefinition.csdef for your web role as follows

<Startup>
    <Task commandLine="DisableRc4.cmd" executionContext="elevated" taskType="simple" />
</Startup>

I verified RC4 support was removed using https://www.ssllabs.com/ssltest/index.html

Before startup modified

After

Answer 2

SSL 3.0 is disabled in PaaS Guest OS images after the January release. See http://azure.microsoft.com/en-us/documentation/articles/cloud-services-guestos-update-matrix/ for more info.

Why do you think SSL 3.0 is still enabled?