It has been a while since I’ve updated my previous posts for securing a Citrix ADC (formerly known as Citrix NetScaler) due to my absence from the work force so this post serves to provide the configuration required to published a virtual server to score an A+ on Qualys SSL Labs for the following test:
https://www.ssllabs.com/ssltest/
This post will demonstrate the process on a Citrix ADC NS13.0 47.24.nc via the command line.
Without any additional configuration, a newly published VPN Virtual Server for Citrix Virtual Apps Desktops published by a Citrix ADC typically scores a B or lower:
**Note that SSL Profiles allow the packaging of several SSL settings to be configured and applied to SSL-based Virtual Servers and Services but will not be demonstrated in this post.
Step #1 – Confirm that Deny SSL Renegotiation is configured as FRONTEND_CLIENT
The newer versions of the Citrix ADCs typically have the Deny SSL Renegotiation already configured appropriately but it is always good practice to confirm.
Navigate to Traffic Management > SSL > Change advanced SSL settings:
Confirm that the Deny SSL Renegotiation setting is set to FRONTEND_CLIENT:
Step #2 – Confirm that all available ECC Curves are bound to the virtual server
SSL Virtual Servers created on newer versions of the Citrix ADC such as the version I listed above will automatically have ECC Curves bound to them. However, if the appliance was upgraded from an older version, then the ECC Curves might not be bound.
Navigate into the properties of the virtual server:
Scroll down to the ECC Curve section and confirm that all the available options are bound to the virtual server:
Step #3 – Turn off SSLv3, TLSv1, TLSv11 and enable TLSv12 and TLSv13
The first step is to turn off SSLv3, TLSv11 and TLSv12, TLSv13 on your Load Virtual Server(s) and NetScaler Gateway Virtual Servers. For the purpose of this post, we will use a Virtual Server under the Citrix Gateway (also known as a VPN Virtual Server) for the configuration.
The following screenshots shows where the settings are in the GUI for the VPN Virtual Server:
SSLv3 used to be enabled in the older appliances but the later ones have TLSv1, TLSv11 and TLSv12 enabled by default:
Either uncheck the support for TLSv1, TLSv11 and enable TLSv12 and TLSv13 in the GUI or execute the following command in the CLI:
set ssl vserver <vpn server name> -ssl3 disabled
set ssl vserver <vpn server name> -tls1 disabled
set ssl vserver <vpn server name> -tls11 disabled
set ssl vserver <vpn server name> -tls12 enabled
set ssl vserver <vpn server name> -tls13 enabled
The configuration should look as such once the appropriate protocols are enabled or disabled:
Repeat the same process for the other Virtual Servers in the environment.
Step #4 – Create new custom Ciphers
The following is the set of SSL Ciphers that would allow us to score an A+ SSL scan on a Citrix ADC appliance but note that these need to be continually updated over time what is secure today may be vulnerable tomorrow:
TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1-ECDHE-ECDSA-AES128-SHA
TLS1-ECDHE-ECDSA-AES256-SHA
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1-ECDHE-RSA-AES128-SHA
TLS1-ECDHE-RSA-AES256-SHA
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLS1-DHE-RSA-AES-128-CBC-SHA
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
TLS1-AES-256-CBC-SHA
Attempting to use the GUI to create and add the ciphers in can be time consuming and prone to errors. A more efficient way would be to use the CLI and execute the following to create a group named Custom-VPX-Cipher with the ciphers listed above:
add ssl cipher Custom-VPX-Cipher
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-256-CBC-SHA
With the above commands successfully executed, we should now see the following Cipher Group created:
Step #5 – Bind new custom Ciphers to Load Balancing Server(s)
With the new cipher group created, proceed with binding them to the Load Balancing Virtual Server(s) and Citrix Gateway Virtual Server(s):
bind ssl vserver www.contoso.com_internal -cipherName Custom-VPX-Cipher
bind ssl vs <vpn server name> -eccCurveName ALL
With the new cipher group binded to the virtual servers, we can use the following commands to review the bindings:
show ssl vserver <vpn server name>
With the new custom CIPHER list bounded, unbind the DEFAULT list that gets bounded to all the virtual servers with the command:
unbind ssl vserver <vpn server name> -cipherName DEFAULT
Browsing to the SSL Ciphers heading for the virtual server should now display the custom Cipher list configured:
Step #6 – Create a Deffie-Hellman (DH) key for Forward Secrecy
The following screenshots shows where to create the Deffie-Hellman (DH) key in the GUI of the NetScaler:
Traffic Management > SSL > Create Diffie-Hellman (DH) key
The CLI command to execute to create the Deffie-Hellman (DH) key is as follows:
create ssl dhparam /nsconfig/ssl/dhkey2048.key 2048 -gen 2
**Note that the process could take a few minutes before completing so wait until the green cursor display changes to a >.
Reviewing the /nsconfig/ssl directory on the NetScaler should now show the dhkey2048.key key that was created:
Step #7 – Assign Deffie-Hellman (DH) key for Forward Secrecy to Virtual Server
With the Deffie-Hellman (DH) key successfully created, proceed with assigning it to the virtual servers.
The following screenshots shows where the settings are in the GUI:
Execute the following command to assign the DH Key via the CLI:
set ssl vserver <vpn server name> -dh ENABLED -dhFile “/nsconfig/ssl/dhkey2048.key” -dhcount 1000
Step #8 – Configure Policy for Strict Transport Security – 2 Options
Option #1 – Enable on Virtual Server
As of version 12.0.35.6, a -HSTS ENABLED flag that became available for the Strict Transport Security as shown here:
You can either apply the configuration directly onto the virtual server as such:
Executing the following CLI command would configure the HSTS setting as shown above:
set ssl vserver <vpn server name> -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES
Option #2 – Create a Rewrite Action and Policy for Strict Transport Security
Another option is to create a rewrite action, policy and then bind it to the virtual server as shown in the following:
Execute the following to create a Rewrite Action for Strict-Transport-Security:
add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/”max-age=157680000″/
With the command above successfully executed, you should now see the following action created:
Execute the following to create a policy and assign the Rewrite Action for to the policy:
add rewrite policy pol_sts_header TRUE act_sts_header
With the Strict Transport Security policy created, proceed with binding them to the virtual servers with the following commands:
bind vpn vserver <vpn server name> -policy pol_sts_header -priority 100 -gotoPriorityExpression END -type RESPONSE
With the command above successfully executed, we should now see the Response Rewrite policy bounded to the virtual servers:
Having completed all the steps outlined above should now allow the NetScaler site to score an A+:
There are additional steps that will allow you to obtain a perfect score as the above rating indicates the Key Exchange and Cipher Strength falls just short. The Key Exchange can be updated to use a certificate that is of 4098bit rather than the 2048bit DH Key we used and the Cipher support can be adjusted to remove 128-bit support but the latter change may sacrifice compatibility. Security is a perpetual challenge so the best approach is to constantly update the security hardening configuration on the Citrix ADC to address newly uncovered issues or outdated configuration.
Also note that having less ciphers supported equates to less browser support so it is important to scroll down to the results and review the Handshake Simulation heading that list handshake failures so you are aware of what browsers will no longer be able to access the web application published:
