Can I disable RC4 in favor of a stronger Cipher

3020
3
02-02-2016 08:59 PM
JustinCox
New Contributor

I'm deploying ArcGIS for Server 10.3.1 in a secure Enterprise environment.  A recent scan showed we had the RC4 cipher enabled, and being used on Port 6443.  We use the Web Adaptor, and the firewall blocks all in/out 6443 traffic, but my life would become substantially easier from a documentation and risk acceptance standpoint if I could configure the server to use TLS with 3DES or another stronger cipher.  Is it possible to configure this somewhere in the ArcGIS settings?

I tried flat-out disabling RC4 before, and it broke the server.  I began to get SCHANNEL errors saying I didn't have a cipher available to establish the connection.

0 Kudos
3 Replies
ThomasColson
MVP Frequent Contributor

This can be accomplished with registry settings, but I prefer a tool "IISCrypto" which give you a nice GUI to not only turn protocols on or off, but specify the order of the ciphers as well. Is your certificate using SHA-2?

RandallWilliams
Esri Regular Contributor

At 10.4 in the security configuration page in the admin API you can specify the HTTPS protocols and ciphers you'd like to support.

JoelBennett
Occasional Contributor III

We too have this same issue with 10.3.1.  We will be bypassing 10.4 for 10.5 later this year, and I do not see how changing registry settings or playing with third party software for IIS will fix this problem since it's coming from ArcGIS Server's web server Tomcat.  Instead, the fix I found was to modify the configuration for the Tomcat server.  Refer also to HOW TO -- Disable weak ciphers in Tomcat 7 & 8 - Powered by Kayako Help Desk Software  for more information on the parameters mentioned below.

Here are my instructions for Windows:

1) Make a backup copy of <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml

2) Run Notepad as Administrator

3) Open <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml

4) Near the bottom of the file, look for the line that starts with <Connector...

5) At the end of the line, between the last quotation mark and the slash, add a space, and then add the following text  (you can see it's very long and will cause the lines to wrap, but that's ok):

  ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"

6) Save the file and restart ArcGIS Server

0 Kudos