A couple of months ago I released this blogpost:https://www.antonvanpelt.com/make-netscaler-ssl-vips-secure
This blogpost is still valid however, last week Citrix released NetScaler 10.5 57.7. This firmware release contains various improvements on SSL security. Lets see what has been improved….
First lets try to run a SSL server test on a default SSL based virtual server.
Not a bad score for a virtual server without any SSL optimisations. NetScaler gets this score due to the TLS_FALLBACK_SCSV support: https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
Let see how we can get a A+ score with NetScaler 10.5 57.5 on a NetScaler VPX!
TLS 1.1 and TLS 1.2 support
Before 10.5 57.7 you where only able to create TLS 1.0 virtual servers. TLS 1.1 and TLS 1.2 where not supported on the VPX platform. Citrix now finally made it possible to offload TLS 1.1 and TLS 1.2 traffic on the VPX platform. When you create a virtual server TLS 1.1 and TLS 1.2 are now default enabled. Make sure to disable SSLv3 to prevent POODLE attacks.
Custom Cipher Group
To get a A+ rating we first need to create a custom Cipher Group which we can assign to the SSL virtual server later.
The following list of Ciphers will support all modern browsers and Citrix Receivers.
1) Cipher Name: TLS1-DHE-DSS-AES-256-CBC-SHA
2) Cipher Name: TLS1-DHE-DSS-AES-128-CBC-SHA
3) Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA
4) Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA
5) Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA
6) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA
7) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA
8) Cipher Name: TLS1.2-AES128-GCM-SHA256
9) Cipher Name: TLS1.2-AES256-GCM-SHA384
10) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256
11) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384
12) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
13) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
14) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256
15) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384
16) Cipher Name: TLS1.2-AES-256-SHA256
17) Cipher Name: TLS1.2-AES-128-SHA256
18) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256
19) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256
Custom Cipher Group for NetScaler VPX
To get a A+ on NetScaler VPX we need to make use of a small set of SSL Ciphers. Therefore we need to create another SSL Cipher Group.
The following list of Ciphers will get you a A+ score on NetScaler VPX:
1) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256 (unsupported as of build 11.0-64.34!)
2) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA
3) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA
4) Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA
5) Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA
6) Cipher Name: TLS1-AES-256-CBC-SHA
7) Cipher Name: TLS1-AES-128-CBC-SHA
8) Cipher Name: SSL3-DES-CBC3-SHA
Perfect Forward Secrecy protect a session from being decrypted when server key became compromised. To enabled PFS we need to create a Deffie-Hellman (DH) key.
Strict Transport Security
STS or HSTS prevents a website for being accessed on another protocol than HTTPS. More info: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security to enable STS on NetScaler we need to create a Rewrite action and policy:
To make use of this action we also need to create a Rewrite policy:
Since we created all these SSL optimisations we need to use them on our SSL based Virtual Server:
- Disable SSLv3
- Bind Custom Cipher Group Aplus or Aplus-VPX when using a NetScaler VPX
- Enable Perfect Forward Secrecy (PFS)
- Enable Strict Transport Security (STS)
As you can see NetScaler 10.5 57.7 is able to get a A+ score. Without any optimization NetScaler scores a C score. With some extra optimisations on supported Ciphers, SSL3, Perfect Forward Secrecy and Strict Transport Security we are able to get this maximum score even on a NetScaler VPX!
When i wrote this blogpost Steven Wright also created a updated post on Citrix Blogs http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel
Last year a lot is changed in the ADC space. Citrix released NetScaler 11 which introduced more new features. At the moment NetScaler 11.0-64.34 is the latest firmware build. This build offers a long waited feature improvement, you can now bind Ciphers to a SSL Profile. So as mentiond before the SSL Profile forms a great baseline for all your vServers.
SHA-1 vs. SHA-2
SHA-2 offers a more secure signature on the SSL certificate then SHA-1. Since January 2016 it’s not possible to order a SHA-1 based certificate anymore. After the 1st of January 2017 the industry will stop trusting SHA-1 based certificates. The following website shows information on SHA256 compatibility: https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility
Several well know companies like Microsoft and Mozilla will stop supporting SHA-1 based certificate this year already: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
Most of the SSL Certificate providers will support a reissue procedure were you can switch from SHA-1 to SHA-256 without any costs. All my websites are signed via DigiCert, I can recommend this company for your SSL Certificate Management. See how DigiCert will support the reissue for SHA-1 based certificates: https://www.digicert.com/transitioning-to-sha-2.htm#s1
A SSL Profile can now contain all the SSL related parameters that can be configured per SSL virtual server basis (CS, LB, NSG, AAA vserver). As soon as you bind a SSL Profile to a virtual server this will override the individual SSL Parameters, and also the SSL Ciphers.
You can create two types of SSL Profiles:
- Frontend Profile: To be used with a virtual server and manipulate the client connection.
- Backend Profile: To be used with a service or service group to manipulate the backend connection.
Lets start by creating a Frontend SSL Profile:
Note that i’ve enabled SNI in this profile to make use of multiple server certificates per virtual servers. If you only have a single wildcard or SAN certficate per virtual server you don’t need to have the SNI feature enabled.
I’ve also changed the Deny SSL renegotation feature setting in this SSL Profile. I will dive into this later.
After we’ve created the SSL Profile we now can bind the SSL Ciphers to the SSL Profile. Note that you can’t bind a custom Cipher Group. You will need to bind the indiviual Ciphers to the SSL Profile, or use CLI if you want to bind your custom Cipher Group to the SSL Profile.
At the moment 02/22/2016 the following Cipher list is compatible with NetScaler and gives a A+ rating at SSL Labs.
- SSL3-DES-CBC3-SHA (Only if you still want to support Windows XP and IE 8)
- SSL3-DES-CBC3-SHA (Only if you still want to support Windows XP and IE 8)
After we’ve created the SSL Profile including the Ciphers we first have to enable the default SSL Profile feature which automatically will bind the built-in SSL Profile to your virtual servers and backend services!!
Note that the default SSL Profile is now bind to your virtual server!
Now we can bind the newly created SSL Profile with custom Ciphers to the Virtual Server:
Updated SSL Labs rating
Also to get a A+ rating on SSL Labs a few settings has changed. If you have the right Ciphers in place you do not have to configure Perfect Forward Secrecy manually via the Deffie-Hellman (DH) key anymore. Without the Deffie-Hellman (DH) key specified you will also get a A+ rating. Needless to say that if you do configure Perfect Forward Secrecy you will of course be more inline with the most secure SSL rules.
This shows the result without the Defffie-helpman (DH) key specified, This virtual server has also bound the 7 Ciphers i mentiond earlier via the SSL Profile:
SSL Labs also explains that binding the Ciphers in the right order will make sense to get a A+ rating: https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy
As you can see 3 of my Ciphers support forward secrecy:
Steps needed to get a A+ rating