How do I disable RC4 SSL support?

(Mike Ottum) #1

I’d like to remove RC4 from the SSL ciphersuite. I tried editing templates/web.ssl.template.yml, because that seems like the likely place, but that file is part of the git repository, so it didn’t seem like something I should edit. Is this something I should override in app.yml, or is there some other place?

(Sam Saffron) #2

tricky, why do you want to disable it? should I not disable this for everyone?

You can add a hook after that replaces it out

(Mike Ottum) #3

SSL Server Test (Powered by Qualys SSL Labs) flags RC4 support as a warning because they consider it insecure. I’m not sure whether it should be disabled for everyone or not, but I would like to disable it for my site.

I might also wish to disable everything below TLS 1.2, but I’m not yet sure that I want to do that.


You could just .launcher ssh app and change the nginx config manually, but of course an update could overwrite this.

Or use a hook like @sam said.

(Mike Ottum) #5

Ah ok – yeah I was mostly concerned with doing it in a way that wouldn’t get overwritten by an update. How does the hook work? Where would I add that?

(Jeff Atwood) #6

We just had a potential customer ask about this and cite this report: SSL Server Test (Powered by Qualys SSL Labs)

So I think we should remove RC4 as a policy, on all our sites and the default Docker image @sam.

(Mike Ottum) #7

Great, that works for me. Thanks!

(Sam Saffron) #8

I just removed rc4 from the template

(Kane York) #9

@ottumm for future reference:

You can do it by editing app.yml: Advanced Troubleshooting with Docker

It follows the same syntax as the template files.

(Tsu) #10

There’s a pull request you might find handy:

(Jeff Atwood) #12