Advertisements

NetScaler SSL A+ Secured VIPs

Below are the steps I followed to score an A+ with Qualys while working on a new XenMobile 🙂 and NetScaler Unified Gateway deployment.

There are some caveats however since Citrix is now delivering TLS1.2 with TLS_FALLBACK-protection across all NetScaler products.  Good right? well if you are running a version below 10.5.57.7.nc you will need to update your NS appliances.

10.5.57.7.nc is available to all NetScaler and NetScaler Gateway customers.  With this release and above, you now can achieve and A+ regardless of the hardware platform including VPX running on your own hypervisor, MPX or SDX .

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • XenMobile 10.3
  • StoreFront 3.0

Lets gets started:

Bind specific Ciphers to your SSL vServer, then disable RC4 by creating our own Cipher Group.

Please note TLS1-AES-256-CBC-SHA is needed to support older SOCKS-clients such as Receivers prior to 4.2.100 running on Windows and several others.  This includes the XenMobile WorxMail client in STA-mode.

In the future this might change as Citrix moves forward with TLS1.2 support across their products.

set ssl vserver portal_netscaler -tls1 ENABLED
set ssl vserver portal_netscaler -tls11 DISABLED
set ssl vserver portal_netscaler -tls12 ENABLED
set ssl vserver portal_netscaler -ssl2 DISABLED
set ssl vserver portal_netscaler -ssl3 DISABLED
unbind ssl vserver portal_netscaler -cipherName ALL
bind ssl vserver portal_netscaler -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl vserver portal_netscaler -cipherName TLS1-AES-256-CBC-SHA

Crate a new Cipher Group from the default Cipher Group and disable the RC4 suite as you will be capped to a B.  There are some weaknesses with the  RC4 Cipher Suite that could enable an attacker to decrypt the key stream.  You can read more on how an attack against TLS/RC4 is possible by reviewing this PDF (http://cr.yp.to/talks/2013.03.12/slides.pdf)

add ssl cipher DEFAULT_no_RC4
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-DES-CBC3-SHA

Bind the new SSL Cipher Group to your vServer

bind ssl vserver portal_netscaler -cipherName DEFAULT_no_RC4

The above will get you to an A- Score:

ssl_a_minus

You can also enable Forward Secrecy, with the new firmware it’s now possible to enable PFS for all modern Clients/Browser and receive an A+

Follow the instructions below and score A+

https://blog.cjharms.info/2014/05/enable-forward-secrecy-and-secure.html

ssl_a_plus

Hope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

 

Advertisements

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

2 Responses to NetScaler SSL A+ Secured VIPs

  1. Javier says:

    Thank you Daniel. Would you recommend going to NS11 instead of 10.5.57?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: