Disable RC4 Ciphers

Well, I recently had an experience which left me a little more knowledgeable and with a little egg on my face too.

I had gotten a call from our InfoSec team that one of our servers was accepting connections using RC4 ciphers. As RC4 is considered weak these ciphers need to be disabled.

After beating my head against it for a while I decided it was time to contact the OS Makers, Microsoft in this case, to see what I was doing wrong.

I had a conversation with Microsoft Support and although their preferred tool is IISCrypto, we could not install it on the server as it required .net4.

In the end I sent the relevant registry section to the Microsoft Tech who setup a system on his end to test and indeed the RC4 Ciphers were disabled.

Hmmm, I couldn't go back and tell Information Security that it must be good because it worked on another system, what am I to do?

Well, I sent an email back to the Microsoft Tech explaining that Information Security would not accept this as an answer and asked if there was a remote tool they use that might validate that RC4 ciphers were no longer enabled.

After sending the email, and before I got a response, I got to thinking.

This wasn't a normal web server, this was a citrix gateway. Could it be that IIS is not the culprit but some citrix software? And here is where the egg came in....

I logged onto the server and ran a "netstat -ano | findstr 443 | findstr /I listening" which yielded the following;

citrix_gw_netstatFrom the above you can see that process 4860, far right in the image was listening on port 443.

I then used the task manager to determine the process name;

citrix_gw_taskmanagerAnd there EggOnMyFace I stood...

So, now I was back to looking for the solution, but at least I was on the right road. I tried several things I found, some didn't work at all and some worked but incorrectly.

In the end, the information that was most helpful was to understand the cipher policy in Citrix Secure Gateway. There are three policies you can set.

  • GOV
    You can configure the Secure Gateway/Secure Gateway Proxy to use the following government strength cipher suite: AES256-SHA,DES-CBC3-SHA
  • COM
    You can configure the Secure Gateway/Secure Gateway Proxy to use the following commercial strength cipher suites: RSA_WITH_RC4_128_MD5, RSA_WITH_RC4_128_SHA
  • ALL
    You can configure the Secure Gateway/Secure Gateway Proxy to use both the commercial and government strength cipher suites. This option is useful when deploying the Secure Gateway/Secure Gateway Proxy in an environment where some client devices support only COM while others support only GOV.

 

Since I knew I didn't want the RC4 ciphers, I ran the Secure Gateway Configuration Wizard, selected "Advanced" configuration type and on the third screen, the one after selecting the certificate, and selected the GOV cipher suite.

citrix_gw_config

After completing the configuration, and restarting the service, low and behold the RC4 ciphers were no longer enabled.

Leave a Reply