Keeping your NetScaler A+ Rating on SSL Labs

If you think you have a NetScaler A+ rating on SSL labs, re-try your test and you might not anymore.

The new AEAD Ciphers have been added to NetScaler as of build 12.0.56.20.

To maintain an A+ Rating you need to modify your cipher suite to include these ciphers.

Here is a code snippet for you, change the cipher group name to match your own or create a new one.

1
2
3
4
5
6
7
8
9
10
add ssl cipher VPX_APLUS_CIPHER_23.03.16
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 1
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 2
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 4
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 5
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 6
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 7
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 8
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName SSL3-DES-CBC3-SHA -cipherPriority 9

If you don’t understand this, look at this blog article from George Spiers on generating a Qualsys SSL Labs A+ rating on your NetScaler and just replace the ciphers with the above.

http://www.jgspiers.com/get-an-a-score-netscaler-11/

7 thoughts on “Keeping your NetScaler A+ Rating on SSL Labs”

  1. Good work!

    just a note – I have had a couple of issues with the AEAD ciphers, causing ICA sessions to fail starting so ended up moving the further down in the priority list – have you seen issues when using them as above?

  2. Comment from – [email protected]:

    Get rid of your old cipher suites and insecure protocols, enforce modern ciphers and get users / companies to keep up with the times.

    SSLv2/3 – Disabled
    TLS1.0 – Disabled
    TLS1.1 – Disabled
    TLS1.2 – Enabled
    SHA1 – Disabled
    SHA256 – Enabled
    SHA384 – Enabled

    TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
    TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    TLS1.2-ECDHE-RSA-AES-256-SHA384
    TLS1.2-ECDHE-RSA-AES-128-SHA256
    TLS1.2-DHE-RSA-CHACHA20-POLY1305
    TLS1.2-DHE-RSA-AES256-GCM-SHA384
    TLS1.2-DHE-RSA-AES128-GCM-SHA256
    TLS1.2-DHE-RSA-AES-256-SHA256
    TLS1.2-DHE-RSA-AES-128-SHA256

    NOTE 1: CHACHA20 ciphers are 256 encryption and SHA256 NOTE 2: If you want 100% on Cipher Strength, then remove AES128 and only use AES256.

        1. You could still get an A with an MPX without the ChaCha ciphers – the list below will get the job done!

          TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
          TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
          TLS1.2-ECDHE-RSA-AES-256-SHA384
          TLS1.2-ECDHE-RSA-AES-128-SHA256
          TLS1.2-DHE-RSA-AES256-GCM-SHA384
          TLS1.2-DHE-RSA-AES128-GCM-SHA256
          TLS1.2-DHE-RSA-AES-256-SHA256
          TLS1.2-DHE-RSA-AES-128-SHA256

Leave a Reply

Your email address will not be published. Required fields are marked *