If you think you have a NetScaler A+ rating on SSL labs, re-try your test and you might not anymore.
The new AEAD Ciphers have been added to NetScaler as of build 12.0.56.20.
To maintain an A+ Rating you need to modify your cipher suite to include these ciphers.
Here is a code snippet for you, change the cipher group name to match your own or create a new one.
1
2
3
4
5
6
7
8
9
10 add ssl cipher VPX_APLUS_CIPHER_23.03.16
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 1
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 2
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 4
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 5
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 6
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 7
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 8
bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName SSL3-DES-CBC3-SHA -cipherPriority 9
If you don’t understand this, look at this blog article from George Spiers on generating a Qualsys SSL Labs A+ rating on your NetScaler and just replace the ciphers with the above.
Good work!
just a note – I have had a couple of issues with the AEAD ciphers, causing ICA sessions to fail starting so ended up moving the further down in the priority list – have you seen issues when using them as above?
Not yet Stan but if I do I shall follow your advice. They’re quite new so probably require a later receiver and up to date OS.
Comment from – mbrennan@laingorourke.com.au:
Get rid of your old cipher suites and insecure protocols, enforce modern ciphers and get users / companies to keep up with the times.
SSLv2/3 – Disabled
TLS1.0 – Disabled
TLS1.1 – Disabled
TLS1.2 – Enabled
SHA1 – Disabled
SHA256 – Enabled
SHA384 – Enabled
TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-DHE-RSA-CHACHA20-POLY1305
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLS1.2-DHE-RSA-AES-256-SHA256
TLS1.2-DHE-RSA-AES-128-SHA256
NOTE 1: CHACHA20 ciphers are 256 encryption and SHA256 NOTE 2: If you want 100% on Cipher Strength, then remove AES128 and only use AES256.
Is it just me or the ChaCha ciphers are not supported on MPX yet?
I’ve not got an mpx to test against Stan, you shall have to let me know.
It is the case by the looks of it:
https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html
The way I read it all MPX are Not Supported.
Tested on an MPX 5650 and No-Go. You see the ciphers but can’t bind them.. even on ADC v12.1
You could still get an A with an MPX without the ChaCha ciphers – the list below will get the job done!
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-DHE-RSA-AES256-GCM-SHA384
TLS1.2-DHE-RSA-AES128-GCM-SHA256
TLS1.2-DHE-RSA-AES-256-SHA256
TLS1.2-DHE-RSA-AES-128-SHA256