Issue
I am looking at disabling RC4 and 3DES TLS ciphers in my application and wondering how to implement this?
The application is Angular/ASP.NET Core currently in the latest versions of both technologies. The application is hosted on a Red Hat 7 server.
Solution
Application level
You may try to force your app to only support TLS 1.3.
TLS 1.3 supports only ciphers thought to be secure.
This post explains how to do it for TLS 1.2, you would just have to change the
s.SslProtocols = SslProtocols.Tls12;
to
s.SslProtocols = SslProtocols.Tls13;
More informations here
Feel free to test it with SSL Labs
You can stay on TLS 1.2 and manually choosing you ciphers by doing this.
Proceed with absolute caution when doing this. You want to do this only if you absolutely know what you're doing.
var ciphersArray = new TlsCipherSuite[]
{
TlsCipherSuite.TLS_AES_256_GCM_SHA384, // etc
};
var builder = WebApplication.CreateBuilder(args);
builder.Host.ConfigureWebHost(webHostBuilder =>
{
webHostBuilder.ConfigureKestrel(kestrelServerOptions =>
{
kestrelServerOptions.ConfigureHttpsDefaults(w =>
{
w.OnAuthenticate = (x, s) =>
{
var ciphers = new CipherSuitesPolicy(ciphersArray);
s.CipherSuitesPolicy = ciphers;
};
});
});
});
OS Level
It's not your OS version but this RHEL 8 doc could be interesting to you. As you can see the DEFAULT
option doesn't allow RC4 and 3DES
Answered By - Oxygel Answer Checked By - Candace Johnson (WPSolving Volunteer)