Pages

Saturday, September 9, 2017

Update: Securing Citrix NetScaler VPX to score A+ rating on SSL Labs

Those who have used my previous blog post:

Securing Citrix NetScaler VPX to score A+ rating on SSL Labs
http://terenceluk.blogspot.com/2016/06/securing-citrix-netscaler-vpx-to-score.html

… to score an A+ on Qualys SSL Labs (https://www.ssllabs.com/ssltest/) may have noticed that they are now scoring an A- due to some minor changes to the criteria. 

There is no support for secure renegotiation. Grade reduced to A-. MORE INFO »

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO »

image

The required changes to the configuration are minimal so this blog post serves to demonstrate the tweaks required to bring the score back to an A+.

The version of the NetScaler VPX I’ll be using for this demonstration is:

NS11.1: Build 49.16.nc

image

Step #1 – Confirm that the SSL certificate used is SHA2/SHA256 signature

Ensure that the SSL certificate used to secure the site uses the SHA2/SHA256 signature for both the root and intermediate.

image

Step #2 – Confirm that SSVLv3 is disabled and TLSv12 is enabled

With the appropriate certificate assigned begin by ensuring that SSLv3 is disabled and TLSv12 is enabled for the SSL Parameters of the virtual server:

image

Step #3 – Update Custom Ciphers

The ciphers listed in my previous post is outdated so proceed to remove the existing configuration or appending the new ciphers in, or creating a new one with the following ciphers:

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-DHE-RSA-AES-128-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
SSL3-DES-CBC3-SHA

The following command can be used to create a new custom cipher with the required ciphers:

add ssl cipher Custom-VPX-Cipher

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-256-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName SSL3-DES-CBC3-SHA

With the custom cipher created, ensure that the virtual server is configured to use it:

image

Step #4 – Configure Deny SSL Renegotiation to FRONTEND_CLIENT

Navigate to Traffic Management > SSL > Change advanced SSL settings:

image

Change the Deny SSL Renegotiation setting from ALL to FRONTEND_CLIENT:

image

image

Alternatively, the following command can be executed to change the configuration:

set ssl parameter -denySSLReneg FRONTEND_CLIENT

image

-------------------------------------------------------------------------------------------------------------------------

You should now score an A+ with the adjustments listed above configured:

image

Remember to save the configuration!

1 comment:

Scott Cochran said...

Hi Terence,

I am curious as to why you list the ECDHE Ciphers since VPX does not support them? At least according to the latest list by Citrix...

https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html