0

I am looking at disabling RC4 and 3DES TLS ciphers in my application and wondering how to implement this?

The application is Angular/ASP.NET Core currently in the latest versions of both technologies. The application is hosted on a Red Hat 7 server.

winst135
  • 3
  • 4

1 Answers1

0

Application level

You may try to force your app to only support TLS 1.3.

TLS 1.3 supports only ciphers thought to be secure.

This post explains how to do it for TLS 1.2, you would just have to change the

s.SslProtocols = SslProtocols.Tls12;

to

s.SslProtocols = SslProtocols.Tls13;

More informations here

Feel free to test it with SSL Labs

You can stay on TLS 1.2 and manually choosing your ciphers by doing this.

Proceed with absolute caution when doing this. You want to do this only if you absolutely know what you're doing.

var ciphersArray = new TlsCipherSuite[]
{
    TlsCipherSuite.TLS_AES_256_GCM_SHA384, // etc
};

var builder = WebApplication.CreateBuilder(args);
builder.Host.ConfigureWebHost(webHostBuilder =>
{
    webHostBuilder.ConfigureKestrel(kestrelServerOptions =>
    {
        kestrelServerOptions.ConfigureHttpsDefaults(w =>
        {
            w.OnAuthenticate = (x, s) =>
            {
                var ciphers = new CipherSuitesPolicy(ciphersArray);
                s.CipherSuitesPolicy = ciphers;
            };
        });
    });
});

OS Level

It's not your OS version but this RHEL 8 doc could be interesting to you. As you can see the DEFAULT option doesn't allow RC4 and 3DES

Oxygel
  • 57
  • 5
  • I have implemented the code above but when I run the tests it still shows those ciphers being offered. The VM is hosted in Azure, is there other things I will need to do on the Azure configuration side? – winst135 May 20 '22 at 10:52