Those who have used my previous blog post:
Securing Citrix NetScaler VPX to score A+ rating on SSL Labs
https://blog.terenceluk.com/2016/06/securing-citrix-netscaler-vpx-to-score.html
… to score an A+ on Qualys SSL Labs (https://www.ssllabs.com/ssltest/) may have noticed that they are now scoring an A- due to some minor changes to the criteria.
There is no support for secure renegotiation. Grade reduced to A-. MORE INFO »
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO »
The required changes to the configuration are minimal so this blog post serves to demonstrate the tweaks required to bring the score back to an A+.
The version of the NetScaler VPX I’ll be using for this demonstration is:
NS11.1: Build 49.16.nc
Step #1 – Confirm that the SSL certificate used is SHA2/SHA256 signature
Ensure that the SSL certificate used to secure the site uses the SHA2/SHA256 signature for both the root and intermediate.
Step #2 – Confirm that SSVLv3 is disabled and TLSv12 is enabled
With the appropriate certificate assigned begin by ensuring that SSLv3 is disabled and TLSv12 is enabled for the SSL Parameters of the virtual server:
Step #3 – Update Custom Ciphers
The ciphers listed in my previous post is outdated so proceed to remove the existing configuration or appending the new ciphers in, or creating a new one with the following ciphers:
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-DHE-RSA-AES-128-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
SSL3-DES-CBC3-SHA
The following command can be used to create a new custom cipher with the required ciphers:
add ssl cipher Custom-VPX-Cipher
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName SSL3-DES-CBC3-SHA
With the custom cipher created, ensure that the virtual server is configured to use it:
Step #4 – Configure Deny SSL Renegotiation to FRONTEND_CLIENT
Navigate to Traffic Management > SSL > Change advanced SSL settings:
Change the Deny SSL Renegotiation setting from ALL to FRONTEND_CLIENT:
Alternatively, the following command can be executed to change the configuration:
set ssl parameter -denySSLReneg FRONTEND_CLIENT
————————————————————————————————————————-
You should now score an A+ with the adjustments listed above configured:
Remember to save the configuration!
One Response
Hi Terence,
I am curious as to why you list the ECDHE Ciphers since VPX does not support them? At least according to the latest list by Citrix…
https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html