SSL A+ rating on the Citrix ADC (Citrix Netscaler)

SSL A+ rating on the Citrix ADC / Update: 2019-12-09

In this article I explain how you can get an SSL A+ rating on the Citrix ADC from SSLLabs. Nowadays, it should be standard for websites or web services that they are only offered encrypted. On the other hand, however, only currently secure methods for encryption should be used here. I think SSL (Secure Sockets Layer) is very easy to use, but there are a few pitfalls to consider.

One of these pitfalls is that SSL settings have to be updated over and over again. Also with SSL the security standards change and these must be adapted again and again on the Citrix ADC.

Check how well your web services comply with the current standard

If you would like to check more closely how well your web services and websites comply with the current standard for SSL encryption, you can use the following services:
Qualys SSL Labs – https://www.ssllabs.com/ – I think this is the best known site for SSL checks, here you can also test different clients or attacks
DigiCert SSL Certificate Checker – https://www.digicert.com/help/ – Checks certificate chains for validity

The way to A+
The goal should always be to get an SSL A+ rating on the Citrix ADC. This will look like this:

Goal should be that you achieve an A+ rating when checking SSL at Qualys SSL Labs,  so you can be sure that you meet the latest encryption standards.
A detailed guide to the ratings can be found below:
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

How do I get an SSL A+ rating on the Citrix ADC?

Next we want to make sure that we get an SSL A+ rating on the Citrix ADC and that our services are accordingly secure.

If you set up a service with the default settings, you will usually not get a very good rating.
In my first tests (the web service was published without any special encryption settings) I got a C rating. That’s pretty bad.
Here you can see the screenshot of the first test:

Create the DH Key

To get an SSL A+ rating on the Citrix ADC, we start to create a new “SSL Profile” on the Citrix ADC. In preparation we create a DH-Key (Diffie-Hellman (DH) key exchange) in advance. To do this, go to the menu item “SSL” on your Netscaler under “Configuration” > “Traffic Management”. Here you find the option “Create Diffie-Herman (DH) key”. There you can create a new DH key. Please note that it may take up to 30 minutes until the key is created, if you use 2048 bit.

The new SSL Profile

Now that we have created our DH Key, we create a new “SSL Profile”. This will make it a lot easier if you set the SSL settings on the Citrix ADC (formerly Citrix Netscaler ADC) on more than one virtual server. Now go to “Configuration” > “System” > “Profiles” on the tab “SSL Profiles”. There you can for example copy the profile “ns_default_ssl_profile_secure_frontend”. Then you don’t have to set all settings manually again. Alternatively you will find below the CLI commands with which you can create the SSL profile.

In the SSL profile you now use the following settings:

Basic Settings:

Name: Choose Name you want for your SSL Profile

SSL Profile Type: FrontEnd

PUSH Encryption Trigger: Always

Encryption trigger packet count: 45

Push Flag: Auto (PUSH flag is not set)

PUSH encryption trigger timeout (ms): 1

PUSH encryption trigger timeout (10 ms ticks): 100

Encoding type: Unicode

Deny SSL Renegotiation: NONSECURE

SSL quantum size (KBytes): 8192

Clear Text Port: 0

Enable DH Param: CHECKED

DH Refresh Cound: 1000

DH FilePath: Your DH Key Path 

Enable Ephemeral RSA: CHECKED

Refresh Count: 0

Enable Session Reuse: CHECKED

Session Timeout: 120

Enable Cipher Redirect: UNCHECKED

Client Authenticaton: UNCHECKED

Common Name: LEAVE EMPTY

OCSP Stapling: UNCHECKED

SSL Redirect: UNCHECKED

SNI Enable: UNCHECKED

Send Close-Notify: CHECKED

Non-FIPS Ciphers: UNCHECKED

Strict CA checks: UNCHECKED

Drop requests for SNI enable sessions if host header is absend: UNCHECKED

Enable Client Authentication using bound CA Chain: UNCHECKED

SSL Log Profile: LEAVE EMPTY

Session Ticket: UNCHECKED

Session Ticket Life Time (secs) 300

Session Key: LEAVE EMPTY

Session Key Auto Refresh: CHECKED

Session Key Lifetime (secs): 3000

Previous Session Key Lifetime (secs): 3000

HSTS: CHECKED

Max Age: 15552000

Include Subdomains: CHECKED

Preload: CHECKED

Every Decrypted Record: UNCHECKED

Every Encrypted Record: UNCHECKED

Protocol

SSLv3: UNCHECKED

TLSv1: UNCHECKED

TLSv11: UNCHECKED

TLSv12: CHECKED

TLSv13: UNCHECKED

SSL Interception

SSL Sessions Interception: UNCHECKED

Verify Server Certificate For Reuse On SSL Interception: CHECKED

SSL Interception Client Renegotiation: CHECKED

SSL Interception OSCP Check: CHECKED

Maximum SSL Session Per Server On SSL Interception: 10

TLS13 Session Ticket Per Authcontext: 1

A new Chiper Group need to be created

Once you have created the SSL profile, you can immediately create a new Cipher Group. We also need this for our SSL settings.

Good to know: A cipher group contains several cipher suites. Cipher suites contain information (protocol, key exchange Kx algorithms, authentication algorithms (Au), encryption algorithms (Enc) and a message code algorithm).

We now create the Cipher Group via the CLI, as this is much faster. You can enter the following part directly on your Citrix ADC on the (Netscaler) CLI.

add ssl cipher APlus_Ciphers

bind ssl cipher APlus_Ciphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256

bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES128-GCM-SHA256

bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES256-GCM-SHA384

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

bind ssl cipher APlus_Ciphers -cipherName TLS1-ECDHE-ECDSA-AES256-SHA

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305

bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

If we have created our SSL profile and our Cipher Group, we now switch to the contentswitch virtual server or the Citrix Gateway virtual server.

You will find the item “SSL Profile” on the right side under “Advanced Settings”. You choose this one. After the selection the point is visible in the configuration area. There you can select your SSL profile and confirm with “OK”.

We add our newly created Cipher Group and remove the “Default” Cipher Group from the virtual server. When you’re done, it should look like this:

Check whether the goal has been achieved!

Now that we have made all the settings on our virtual server, we want to check whether our settings were successful and we get an A+ rating on the Citrix ADC. Our SSL Rating can be checked on the link above via Qualys SSL Labs.

So your virtual server or the individual websites should be displayed, if you have carried out the settings successfully.

I hope as always that you liked the article and that it will help you. If you have any questions or suggestions, please write me a comment. Also read my other articles about Citrix ADC here.

Otherwise I am happy about a Like on Facebook, Xing or if you follow me on Twitter.The social media buttons are on top and on the bottom of my page. You can also share my article if you like.