Using ssllabs.com's scan tells me RC4 is in use. I read that RC4 should be disabled by default in Windows 2012 R2. I'm running a node.js server using https.createServer and not specifying ciphers (letting it default)
ssllabs.com says:
This server accepts the RC4 cipher, which is weak
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK
I've disabled RC4 in the registery per these instructions:http://windowsitpro.com/windows/disabling-rc4-cipher
I also tried specifing the ciphers in node createHttpsServer like this:
ciphers:
[ "ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"DHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"DHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA256",
"HIGH",
"!aNULL",
"!eNULL",
"!EXPORT",
"!DES",
"!RC4",
"!MD5",
"!PSK",
"!SRP",
"!CAMELLIA"
].join(':'),
honorCipherOrder: true
Still get the same message saying RC4 is in use and my grade dropped from B to C so setting the node.js cipher list does have an impact.
Using IIS Crypto to disable the RC4 ciphers after clicking the best practices option resulted in no difference in my ssllabs scan results.
I suspect it has something to do with the node configuration, but even specifying the cipher list as mentioned above still results in the scan saying RC4 is in use.
How do I diagnose this to disable RC4 or find out where it's in use so I can disable it?
Server
response header, and other markers that indicate a particular HTTP server is in use (heuristic pattern matching borne of long experience). The problem with writing up an answer is that I don't have an answer, merely a long list of hypotheses, and my memory isn't good enough to be able to recall everything out of the moment.