Make your NetScaler SSL VIPs more secure (Updated) 59

A+ score NetScaler VPX

Updated: 2-23-2016

A couple of months ago I released this blogpost:https://www.antonvanpelt.com/make-netscaler-ssl-vips-secure

This blogpost is still valid however, last week Citrix released NetScaler 10.5 57.7. This firmware release contains various improvements on SSL security. Lets see what has been improved….

 

Default Security

First lets try to run a SSL server test on a default SSL based virtual server.

Default SSL VIP score

Not a bad score for a virtual server without any SSL optimisations. NetScaler gets this score due to the TLS_FALLBACK_SCSV support: https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Let see how we can get a A+ score with NetScaler 10.5 57.5 on a NetScaler VPX!

 

TLS 1.1 and TLS 1.2 support

Before 10.5 57.7 you where only able to create TLS 1.0 virtual servers. TLS 1.1 and TLS 1.2 where not supported on the VPX platform. Citrix now finally made it possible to offload TLS 1.1 and TLS 1.2 traffic on the VPX platform. When you create a virtual server TLS 1.1 and TLS 1.2 are now default enabled. Make sure to disable SSLv3 to prevent POODLE attacks.

SSLv3 is still enabled by default

 

Custom Cipher Group

To get a A+ rating we first need to create a custom Cipher Group which we can assign to the SSL virtual server later.

Custom Cipher group NetScaler

The following list of Ciphers will support all modern browsers and Citrix Receivers.
1) Cipher Name: TLS1-DHE-DSS-AES-256-CBC-SHA
2) Cipher Name: TLS1-DHE-DSS-AES-128-CBC-SHA
3) Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA
4) Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA
5) Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA
6) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA
7) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA
8) Cipher Name: TLS1.2-AES128-GCM-SHA256
9) Cipher Name: TLS1.2-AES256-GCM-SHA384
10) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256
11) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384
12) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
13) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
14) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256
15) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384
16) Cipher Name: TLS1.2-AES-256-SHA256
17) Cipher Name: TLS1.2-AES-128-SHA256
18) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256
19) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256

 

Custom Cipher Group for NetScaler VPX

To get a A+ on NetScaler VPX we need to make use of a small set of SSL Ciphers. Therefore we need to create another SSL Cipher Group.

The following list of Ciphers will get you a A+ score on NetScaler VPX:

1) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256 (unsupported as of build 11.0-64.34!)
2) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA
3) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA
4) Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA
5) Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA
6) Cipher Name: TLS1-AES-256-CBC-SHA
7) Cipher Name: TLS1-AES-128-CBC-SHA
8) Cipher Name: SSL3-DES-CBC3-SHA

Cipher Group VPX

 

Forward Secrecy

Perfect Forward Secrecy protect a session from being decrypted when server key became compromised. To enabled PFS we need to create a Deffie-Hellman (DH) key.

Create Diffie-Hellman key NetScaler

 

Strict Transport Security

STS or HSTS prevents a website for being accessed on another protocol than HTTPS. More info: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security to enable STS on NetScaler we need to create a Rewrite action and policy:

STS Rewrite Action NetScaler

 

To make use of this action we also need to create a Rewrite policy:

STS Rewrite Policy NetScaler

Since we created all these SSL optimisations we need to use them on our SSL based Virtual Server:

  1. Disable SSLv3disable sslv3 NetScaler VIP
  2. Bind Custom Cipher Group Aplus or Aplus-VPX when using a NetScaler VPXCustom Cipher group on VIP NetScaler
  3. Enable Perfect Forward Secrecy (PFS)Enable Forward Secrecy on NetScaler VIP
  4. Enable Strict Transport Security (STS)Enable Strict Transport Security on NetScaler VIP

 

Conclusion

As you can see NetScaler 10.5 57.7 is able to get a A+ score. Without any optimization NetScaler scores a C score. With some extra optimisations on supported Ciphers, SSL3, Perfect  Forward Secrecy and Strict Transport Security we are able to get this maximum score even on a NetScaler VPX!

When i wrote this blogpost Steven Wright also created a updated post on Citrix Blogs http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel

 

2016 Update

Last year a lot is changed in the ADC space. Citrix released NetScaler 11 which introduced more new features. At the moment NetScaler 11.0-64.34 is the latest firmware build. This build offers a long waited feature improvement, you can now bind Ciphers to a SSL Profile. So as mentiond before the SSL Profile forms a great baseline for all your vServers.

SHA-1 vs. SHA-2
SHA-2 offers a more secure signature on the SSL certificate then SHA-1. Since January 2016 it’s not possible to order a SHA-1 based certificate anymore. After the 1st of January 2017 the industry will stop trusting SHA-1 based certificates. The following website shows information on SHA256 compatibility: https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Several well know companies like Microsoft and Mozilla will stop supporting SHA-1 based certificate this year already:  https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

Most of the SSL Certificate providers will support a reissue procedure were you can switch from SHA-1 to SHA-256 without any costs. All my websites are signed via DigiCert, I can recommend this company for your SSL Certificate Management. See how DigiCert will support the reissue for SHA-1 based certificates: https://www.digicert.com/transitioning-to-sha-2.htm#s1

SSL Profile

A SSL Profile can now contain all the SSL related parameters that can be configured per SSL virtual server basis (CS, LB, NSG, AAA vserver). As soon as you bind a SSL Profile to a virtual server this will override the individual SSL Parameters, and also the SSL Ciphers.

You can create two types of SSL Profiles:

  • Frontend Profile: To be used with a virtual server and manipulate the client connection.
  • Backend Profile: To be used with a service or service group to manipulate the backend connection.

Lets start by creating a Frontend SSL Profile:

Create SSL Profile

Note that i’ve enabled SNI in this profile to make use of multiple server certificates per virtual servers. If you only have a single wildcard or SAN certficate per virtual server you don’t need to have the SNI feature enabled.

I’ve also changed the Deny SSL renegotation feature setting in this SSL Profile. I will dive into this later.

After we’ve created the SSL Profile we now can bind the SSL Ciphers to the SSL Profile. Note that you can’t bind a custom Cipher Group. You will need to bind the indiviual Ciphers to the SSL Profile, or use CLI if you want to bind your custom Cipher Group to the SSL Profile.

At the moment 02/22/2016 the following Cipher list is compatible with NetScaler and gives a A+ rating at SSL Labs.

VPX:

  • TLS1-ECDHE-RSA-AES256-SHA
    • Hex=0xc014
  • TLS1-ECDHE-RSA-AES128-SHA
    • Hex=0xc013
  • TLS1-DHE-RSA-AES-256-CBC-SHA
    • Hex=0x0039
  • TLS1-DHE-RSA-AES-128-CBC-SHA
    • Hex=0x0033
  • TLS1-AES-128-CBC-SHA
    • Hex=0x002f
  • TLS1-AES-256-CBC-SHA
    • Hex=0x0035
  • SSL3-DES-CBC3-SHA (Only if you still want to support Windows XP and IE 8)
    • Hex=0x000a

MPX:

  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    • HexCode=0xc030
  • TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    • HexCode=0xc02f
  • TLS1.2-ECDHE-RSA-AES-256-SHA384
    • HexCode=0xc028
  • TLS1.2-ECDHE-RSA-AES-128-SHA256
    • HexCode=0xc027
  • TLS1-ECDHE-RSA-AES256-SHA
    • HexCode=0xc014
  • TLS1-ECDHE-RSA-AES128-SHA
    • HexCode=0xc013
  • TLS1.2-DHE-RSA-AES256-GCM-SHA384
    • HexCode=0x009f
  • TLS1.2-DHE-RSA-AES128-GCM-SHA256
    • HexCode=0x009e
  • TLS1-DHE-RSA-AES-256-CBC-SHA
    • HexCode=0x0039
  • TLS1-DHE-RSA-AES-128-CBC-SHA
    • HexCode=0x0033
  • TLS1-AES-256-CBC-SHA
    • HexCode=0x0035
  • TLS1-AES-128-CBC-SHA
    • HexCode=0x002f
  • SSL3-DES-CBC3-SHA (Only if you still want to support Windows XP and IE 8)
    • HexCode=0x000a

Bind Ciphers to SSL Profile

After we’ve created the SSL Profile including the Ciphers we first have to enable the default SSL Profile feature which automatically will bind the built-in SSL Profile to your virtual servers and backend services!!

Enable Default SSL Profile

Note that the default SSL Profile is now bind to your virtual server!

Default SSL Profile

Now we can bind the newly created SSL Profile with custom Ciphers to the Virtual Server:

Bind Custom SSL Profile

Updated SSL Labs rating

Also to get a A+ rating on SSL Labs a few settings has changed. If you have the right Ciphers in place you do not have to configure Perfect Forward Secrecy manually via the Deffie-Hellman (DH) key anymore. Without the Deffie-Hellman (DH) key specified you will also get a A+ rating. Needless to say that if you do configure Perfect Forward Secrecy you will of course be more inline with the most secure SSL rules.

This shows the result without the Defffie-helpman (DH) key specified, This virtual server has also bound the 7 Ciphers i mentiond earlier via the SSL Profile:

A+ result on SSLLabs

SSL Labs also explains that binding the Ciphers in the right order will make sense to get a A+ rating: https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy

As you can see 3 of my Ciphers support forward secrecy:

A+ Ciphers that support FS

Steps needed to get a A+ rating

  • Make sure to reissue your SHA-1 based certificates ASAP
  • Disable SSLv3 and enable TLSv1.2
  • Enable Strict Transport Security
  • Bind Ciphers that support Forward Secrecy

59 thoughts on “Make your NetScaler SSL VIPs more secure (Updated)

  1. Reply Colby Vrbka May 29,2015 9:59 pm

    I am still stuck on A-. I am still getting “The server does not support Forward Secrecy with the reference browsers” I followed everything above and still can’t get a A+

  2. Reply Arno Jun 4,2015 8:52 am

    Excellent blog post! I was able to get an A+ rating!

    However, when using this I try to connect to a published desktop (XenApp 6.5) I get the error: “Cannot connect to the Citrix XenApp server. SSL Error 47: An unclassified SSL network error occured. (error code: error:14077410:lib(20):func(119):reason(1040))

    Selecting all default HIGH ciphers fixed this issue.

  3. Reply Arno Jun 4,2015 9:44 am

    EDIT: Using the following Ciphers worked for my VPX configuration:

    add ssl cipher A-Plus
    bind ssl cipher A-Plus -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
    bind ssl cipher A-Plus -cipherName TLS1-ECDHE-RSA-AES256-SHA
    bind ssl cipher A-Plus -cipherName TLS1-ECDHE-RSA-AES128-SHA
    bind ssl cipher A-Plus -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    bind ssl cipher A-Plus -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    bind ssl cipher A-Plus -cipherName TLS1-AES-256-CBC-SHA
    bind ssl cipher A-Plus -cipherName TLS1-AES-128-CBC-SHA
    bind ssl cipher A-Plus -cipherName SSL3-DES-CBC3-SHA
    bind ssl vserver NameofyourvServer -cipherName A-Plus

    See https://blog.cjharms.info/2014/11/perfect-forward-secrecy-and-netscaler.html

  4. Reply Björn Jun 9,2015 10:10 am

    Same issue am Colby here. Iam running 10.5 57.7, created a 2048bit DH-Key and bound it to my virtual vServer. Still getting A- because auf Forward Secrecy. What am I missing? 🙂

  5. Reply Bernard Jun 23,2015 6:57 pm

    My website score was A-. I enabled DH Param as you suggested and the score dropped to F!!! Any idea why such a drop?

  6. Reply Anton van Pelt Jun 29,2015 11:48 pm

    Article updated with a custom Cipher Group for VPX!

    Cheers,
    Anton

  7. Reply search Jul 10,2015 8:42 am

    It’s going to be ending of mine day, but before ending I am reading this wonderful piece of
    writing to increase my know-how.

  8. Reply Jeff Brown Jul 23,2015 9:59 pm

    Don’t forget to bind the ECC curves, too!

    > bind ssl vserver ssl_vip -eccCurveName P_256
    > bind ssl vserver ssl_vip -eccCurveName P_384
    > bind ssl vserver ssl_vip -eccCurveName P_224
    > bind ssl vserver ssl_vip -eccCurveName P_521

    They *should* be bound by default. However, they are required for PFS w/ ECDHE ciphers.

  9. Reply Henry Heres Aug 8,2015 4:50 pm

    Tried it on the 11.0.55.23 build and A+ it is 🙂

  10. Reply Brad Sherwin Aug 27,2015 2:36 pm

    Excellent post! Very easy to follow and made total sense.

    However, I am stuck on a A- due to server not supporting Forward Secrecy with the reference browsers. I have added the custom cipher group for VPX with no luck.

    I am running NS10.5 58.11, key is RSA 2048 bits & SHA256withRSA.

    Any ideas would be greatly appreciated.

    Thanks,

    Brad.

  11. Reply Brad Sherwin Aug 27,2015 2:46 pm

    I have figured out the problem.

    It was the order of the Ciphers.

    A+ now! :D:D:D:D

    • Reply Anton van Pelt Aug 27,2015 2:47 pm

      Thanks for update!

      Cheers,
      Anton

    • Reply Usaid Sep 10,2015 4:45 pm

      Hi Brad,

      Please let me know, what order are you using, I configured chipper in below order and the rating is A-.
      TLS1.2-ECDHE-RSA-AES-128-SHA256
      TLS1-ECDHE-RSA-AES256-SHA
      TLS1-ECDHE-RSA-AES128-SHA
      TLS1-DHE-RSA-AES-256-CBC-SHA
      TLS1-DHE-RSA-AES-128-CBC-SHA
      TLS1-AES-256-CBC-SHA
      TLS1-AES-128-CBC-SHA
      SSL3-DES-CBC3-SHA

      • Reply Brad Dec 1,2015 10:05 am

        Hi USaid,

        TLS1.2-ECDHE-RSA-AES-128-SHA256
        TLS1-ECDHE-RSA-AES256-SHA
        TLS1-ECDHE-RSA-AES128-SHA
        TLS1-AES-256-CBC-SHA
        TLS1-AES-128-CBC-SHA
        TLS1-DHE-RSA-AES-256-CBC-SHA
        TLS1-DHE-RSA-AES-128-CBC-SHA

        however I have been A+ since this article but now I am A due to a Strict Transport error.

  12. Reply Stefan Stefansson Sep 8,2015 10:53 am

    I’ve followed the instructions on this page for my VPX 11.0 62.10.nc test setup and unfortunately I’m only getting an A. When I add the VPX cipher group, I get the message: “No usable ciphers configured on the SSL vserver/service” and when I add the ciphers individually I get: “AES-GCM/SHA2 ciphers not supported on VPX and FIPS”.

    Any ideas of what I might do to improve this?

    Thanks
    Stefan

  13. Reply Alex Sep 21,2015 2:48 pm

    Good morning everyone.
    Thanks a lot for this useful post Anton.

    We’ve got a Nestcaler 8400 (ver. 10.5 53.9), we follow all the procedure.

    Unfortunately we’ve got a “F” ’cause our site seems to be always vulnerable to the Poodle (TLS) (poodle SSLv3 has been patched disabling the SSLv3 protocol).

    Any ideas? It seems to be very strange….

  14. Reply Emmanuel Sep 28,2015 8:40 pm

    Hi everyone,
    Thank you for your post, It was very usefull. But in my case I used AAA vserver so I’m not able to bind Rewrite policy for enable the STS.
    I tried many thing but do you have a solution? or idea? It is possible?

    • Reply Anton van Pelt Sep 29,2015 12:57 pm

      Hi,

      The AAA vserver is only used for authentication and authorization, it don’t expose webserver content etc. As soon as you are authenticated against this AAA vserver you will get redirected to the Load Balancing vserver itself, were you can apply the security optimizations!

      Does that make sense?

      Cheers!
      Anton

  15. Reply Joe Oct 5,2015 5:54 pm

    If you have two load balancers that are stand-alone do I need to export the DH key for the 2nd server or can I generate a different key?

  16. Reply Alex Oct 7,2015 10:27 am

    Hi everyone,
    we’ve got a Netscaler 8400 (ver 11.062) and we follow the procedure that let us get an “A”.

    in order to get an “A+” we have to implement the STS feature.

    We followed the procedure, the rewrite policy is matched but we scored an “A” since the STS feature is not seen by the SSLLAB site.

    the strange thing is that with the old firmware (ver. 10.5 53.9) we scored a “F” but the STS feature was recognized.

    Any ideas?

    thanks a lot

    • Reply Henry Heres Oct 9,2015 11:43 am

      Do you by any chance have a unified gateway implementation? If that’s the case you will need to add it on two places, the cs vserver and the gateway vserver.

  17. Reply Magnus Oct 14,2015 7:43 am

    Will this work on WinXP with IE8 ?
    or do you know “best setup” for XP + IE8 ?

  18. Reply David Haugli Oct 19,2015 11:09 am

    Is it only me or is TLS1.2 EDCHE Cipher not supported on VPX ? even if I had this with CLI commands it wont be used by the VPX.

  19. Reply David Haugli Oct 19,2015 12:20 pm

    Hi,

    Just to clarify for everyone. I have noticed on my own VPX (thats not hosted on a SDX).

    Only TLS1.0 EDCHE Ciphers is supported still on a normal VPX.

    ref: http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/customize-ssl-config/config-ecdhe-ciphers.html

  20. Reply Aaron Hutchinson Oct 27,2015 10:08 pm

    David,
    The only way to get a VPX to support TLS 1.2 is to run it on an SDX and assign it an SSL card. If you are just running a normal VPX on VMWare or XenServer, they do not support anything above TLS 1.0. IF you look at the SSL Parameters tab of an SSL Vserver, TLSv11 and TLSv12 are greyed out.

    -Aaron

  21. Reply Dennis Reimer Nov 27,2015 1:37 pm

    We are using Netscaler Version 11 Build 63.16 VPX on ESX

    After a lot of testing we found out that there must be a bug (in this Version) using cipher groups. Regardless if we used the gui or the shell we cannot successfully assign the cipher groups to the virtual servers.

    We had to assign the ciphers manually to every vServer in the following order (if the order is wrong, you might receive an A-). You can accomplish this via Webgui or shell:

    bind ssl vserver vServerName -cipherName TLS1-ECDHE-RSA-AES256-SHA
    bind ssl vserver vServerName -cipherName TLS1-ECDHE-RSA-AES128-SHA
    bind ssl vserver vServerName -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    bind ssl vserver vServerName -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    bind ssl vserver vServerName -cipherName TLS1-AES-256-CBC-SHA
    bind ssl vserver vServerName -cipherName TLS1-AES-128-CBC-SHA
    bind ssl vserver vServerName -cipherName SSL3-DES-CBC3-SHA

    Additionally we found out that it´s impossible to bind the

    TLS1.2-ECDHE-RSA-AES-128-SHA256

    Cipher on the VPX (the gui tells us, TLS1.2 Ciphers are not supported on VPX). From my point of view that is also a bug in this version, because in general we can enable tls1.2 support on the vServer, but cannot use the tls1.2 cipher?!

    We are still using a SHA1 Certificate so we received a straight A with this article and the modifications i mentioned. If we would use a SHA2 Certificate we would receive an A+.

    Hope this helps

    • Reply Anton van Pelt Nov 27,2015 1:51 pm

      Thanks for this feedback Dennis!

      Cheers,
      Anton

    • Reply Anton van Pelt Jan 12,2016 4:48 pm

      Just tested with NetScaler 11 63.16 and had the same experience.

      It will work when you run this via CLI:

      add ssl cipher A-Plus
      bind ssl cipher A-Plus -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
      bind ssl cipher A-Plus -cipherName TLS1-ECDHE-RSA-AES256-SHA
      bind ssl cipher A-Plus -cipherName TLS1-ECDHE-RSA-AES128-SHA
      bind ssl cipher A-Plus -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
      bind ssl cipher A-Plus -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
      bind ssl cipher A-Plus -cipherName TLS1-AES-256-CBC-SHA
      bind ssl cipher A-Plus -cipherName TLS1-AES-128-CBC-SHA
      bind ssl cipher A-Plus -cipherName SSL3-DES-CBC3-SHA
      bind ssl cipher name_of_your_vip ORD A-Plus

      Cheers,
      Anton

  22. Reply Alex Romp Nov 28,2015 12:28 am

    I found that having the escaped quotes in the max-age on the URL rewrite rule caused SSL Labs to return “Invalid HSTS Header” and it didn’t get an A+ at that time. It showed PFS was working but I only received an “A” rating.

    So instead of:
    “\”max-age=157680000\””

    I changed it to:
    “max-age=157680000”

    Prior to doing that I used Fiddler (I didn’t have curl handy) to capture a request from my VPX which showed the quotes, and also a request to ssllabs.com itself, which did not have the quotes.

    After making that change to the URL rewrite rule I received an A+ grade.

    Great guide! Thanks for sharing!

    • Reply Joel Stocker Jan 5,2016 5:53 pm

      Thanks for this Alex, this solved my issue as well (going from A+ to A). Anton, maybe you can correct this in the original article?

      • Reply Anton van Pelt Jan 12,2016 4:39 pm

        Thanks for the heads-up guys. This should be a update to the SSL scanners, was working when i wrote this article. However i added a new screenshot with the updated expression.

        Cheers,
        Anton

  23. Reply Jason Belton Dec 16,2015 10:30 am

    Thanks for the great guide! Also thank you Alex Romp, this caught me out on the latest firmware.

  24. Reply jason Dec 19,2015 7:11 pm

    Ever look at this site and improve netscalers grade? Mine is a F out of the box.

    https://securityheaders.io

  25. Reply Hidetoshi Nemoto Dec 22,2015 12:32 am

    We noted that, while we will get an overall rating of A or above by using your mentioned recommended cipher, the ICA session runs extremely slow.

    On Citrix Director, we can see the ICA RTT has very high latency, on average around 300-500ms and sometimes even over 1000ms.

  26. Reply Jose Dec 28,2015 4:34 pm

    Wait, you show how to create a custom group for VPX, then your screenshot shows binding the individual ciphers, instead of the group.
    Trying to follow your instructions and binding the custom group gives me “No usable ciphers configured on the SSL vserver/service”. I guess it’s a dreaded support case with Citrix…

  27. Reply JB Feb 11,2016 6:44 am

    Hey Anton,
    you keep stating that TLS1.2-ECDHE-RSA-AES-128-SHA256 binds in NS11 on VPX but surely you’re using an SDX for that?
    Using CLI or not, any SHA2 Ciphers will throw an error 🙁

  28. Reply Sujit Feb 18,2016 1:08 am

    I have citrix netscaller 7500 which used to coneect 2nos of web servers1&2 then connect to 2 nos of citrix farm 1&2 then connect all servers(rhel 5.0,solaris,unix,win server2008/12)
    will you please give me details configuration with diagram, which help me a lot in future.

  29. Reply David Feb 22,2016 4:29 am

    A recent build of NetScaler 11 rejects binding SHA-2 ciphers on VPX:

    ERROR: AES-GCM/SHA2 ciphers not supported on VPX and FIPS

    This removes the first cipher in your list.
    Before binding a custom cipher group to a vserver, unbind ALL ciphers from the vserver first. This ensures that ciphers will be bound in the optimal order.

    unbind ssl vserver http://www.mydomain.com:https -cipherName ALL
    bind ssl vserver http://www.mydomain.com:https -cipherName A-Plus

  30. Reply David Feb 22,2016 4:30 am

    That last comment was supposed to use code tags, not block quotes – sorry.

  31. Reply James Mar 7,2016 5:03 pm

    Wondering if anyone has any insights into ciphers used to back end webservers (your internal network, not visible by Qualys SSL labs)?

    To my surprise I find that Netscaler firmware v10.5 does not support an encrypted channel to any backend server using a SHA2 ssl certificate.

  32. Reply Herbert Mar 21,2016 12:54 pm

    A+ works. Thank you. But now i getting the following warning:

    DH public server param (Ys) reuse Yes

    Any solution?

    • Reply IT Apr 6,2016 3:24 am

      I also get “DH public server param (Ys) reuse Yes” despite A+ rating.
      Any solution for this (or at least an explanation)?

  33. Reply Julie Mar 31,2016 8:58 pm

    Hi I get A due the fact that my server provide more than one HSTS header. By browsing my website with the F12 option, i saw two HSTS : Strict-Transport-Security:max-age=300 and Strict-Transport-Security:”max-age=157680000″. I don’t find the one of 300, where can i find it on my NetScaler?

  34. Reply Patrick Apr 12,2016 3:40 pm

    When I bind the ECC curves my site become inaccessible from Safari, iPhones and Chrome and IE11. Any ideas what I can do to fix ?

  35. Reply Kelly Jones Jun 9,2016 11:45 am

    getting an A- using the following Ciphers and all the other steps in this guide

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS 256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS 128

  36. Reply Adrie van der Heiden Jun 16,2016 10:20 pm

    Anton perfect howto document.

Leave a Reply

  

  

  

Visit Us On TwitterVisit Us On Linkedin