SSL A+ rating on the Citrix ADC / Update: 2019-12-09
In this article I explain how you can get an SSL A+ rating on the Citrix ADC from SSLLabs. Nowadays, it should be standard for websites or web services that they are only offered encrypted. On the other hand, however, only currently secure methods for encryption should be used here. I think SSL (Secure Sockets Layer) is very easy to use, but there are a few pitfalls to consider.
One of these pitfalls is that SSL settings have to be updated over and over again. Also with SSL the security standards change and these must be adapted again and again on the Citrix ADC.
Check how well your web services comply with the current standard
If you would like to check more closely how well your web services and websites comply with the current standard for SSL encryption, you can use the following services:
Qualys SSL Labs – https://www.ssllabs.com/ – I think this is the best known site for SSL checks, here you can also test different clients or attacks
DigiCert SSL Certificate Checker – https://www.digicert.com/help/ – Checks certificate chains for validity
The way to A+
The goal should always be to get an SSL A+ rating on the Citrix ADC. This will look like this:
Goal should be that you achieve an A+ rating when checking SSL at Qualys SSL Labs, so you can be sure that you meet the latest encryption standards.
A detailed guide to the ratings can be found below:
How do I get an SSL A+ rating on the Citrix ADC?
Next we want to make sure that we get an SSL A+ rating on the Citrix ADC and that our services are accordingly secure.
If you set up a service with the default settings, you will usually not get a very good rating.
In my first tests (the web service was published without any special encryption settings) I got a C rating. That’s pretty bad.
Here you can see the screenshot of the first test:
Create the DH Key
To get an SSL A+ rating on the Citrix ADC, we start to create a new “SSL Profile” on the Citrix ADC. In preparation we create a DH-Key (Diffie-Hellman (DH) key exchange) in advance. To do this, go to the menu item “SSL” on your Netscaler under “Configuration” > “Traffic Management”. Here you find the option “Create Diffie-Herman (DH) key”. There you can create a new DH key. Please note that it may take up to 30 minutes until the key is created, if you use 2048 bit.
The new SSL Profile
Now that we have created our DH Key, we create a new “SSL Profile”. This will make it a lot easier if you set the SSL settings on the Citrix ADC (formerly Citrix Netscaler ADC) on more than one virtual server. Now go to “Configuration” > “System” > “Profiles” on the tab “SSL Profiles”. There you can for example copy the profile “ns_default_ssl_profile_secure_frontend”. Then you don’t have to set all settings manually again. Alternatively you will find below the CLI commands with which you can create the SSL profile.
In the SSL profile you now use the following settings:
Basic Settings: Name: Choose Name you want for your SSL Profile SSL Profile Type: FrontEnd PUSH Encryption Trigger: Always Encryption trigger packet count: 45 Push Flag: Auto (PUSH flag is not set) PUSH encryption trigger timeout (ms): 1 PUSH encryption trigger timeout (10 ms ticks): 100 Encoding type: Unicode Deny SSL Renegotiation: NONSECURE SSL quantum size (KBytes): 8192 Clear Text Port: 0 Enable DH Param: CHECKED DH Refresh Cound: 1000 DH FilePath: Your DH Key Path Enable Ephemeral RSA: CHECKED Refresh Count: 0 Enable Session Reuse: CHECKED Session Timeout: 120 Enable Cipher Redirect: UNCHECKED Client Authenticaton: UNCHECKED Common Name: LEAVE EMPTY OCSP Stapling: UNCHECKED SSL Redirect: UNCHECKED SNI Enable: UNCHECKED Send Close-Notify: CHECKED Non-FIPS Ciphers: UNCHECKED Strict CA checks: UNCHECKED Drop requests for SNI enable sessions if host header is absend: UNCHECKED Enable Client Authentication using bound CA Chain: UNCHECKED SSL Log Profile: LEAVE EMPTY Session Ticket: UNCHECKED Session Ticket Life Time (secs) 300 Session Key: LEAVE EMPTY Session Key Auto Refresh: CHECKED Session Key Lifetime (secs): 3000 Previous Session Key Lifetime (secs): 3000 HSTS: CHECKED Max Age: 15552000 Include Subdomains: CHECKED Preload: CHECKED Every Decrypted Record: UNCHECKED Every Encrypted Record: UNCHECKED Protocol SSLv3: UNCHECKED TLSv1: UNCHECKED TLSv11: UNCHECKED TLSv12: CHECKED TLSv13: UNCHECKED SSL Interception SSL Sessions Interception: UNCHECKED Verify Server Certificate For Reuse On SSL Interception: CHECKED SSL Interception Client Renegotiation: CHECKED SSL Interception OSCP Check: CHECKED Maximum SSL Session Per Server On SSL Interception: 10 TLS13 Session Ticket Per Authcontext: 1
A new Chiper Group need to be created
Once you have created the SSL profile, you can immediately create a new Cipher Group. We also need this for our SSL settings.
Good to know: A cipher group contains several cipher suites. Cipher suites contain information (protocol, key exchange Kx algorithms, authentication algorithms (Au), encryption algorithms (Enc) and a message code algorithm).
We now create the Cipher Group via the CLI, as this is much faster. You can enter the following part directly on your Citrix ADC on the (Netscaler) CLI.
add ssl cipher APlus_Ciphers bind ssl cipher APlus_Ciphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES128-GCM-SHA256 bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES256-GCM-SHA384 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 bind ssl cipher APlus_Ciphers -cipherName TLS1-ECDHE-ECDSA-AES256-SHA bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
If we have created our SSL profile and our Cipher Group, we now switch to the contentswitch virtual server or the Citrix Gateway virtual server.
You will find the item “SSL Profile” on the right side under “Advanced Settings”. You choose this one. After the selection the point is visible in the configuration area. There you can select your SSL profile and confirm with “OK”.
We add our newly created Cipher Group and remove the “Default” Cipher Group from the virtual server. When you’re done, it should look like this:
Check whether the goal has been achieved!
Now that we have made all the settings on our virtual server, we want to check whether our settings were successful and we get an A+ rating on the Citrix ADC. Our SSL Rating can be checked on the link above via Qualys SSL Labs.
So your virtual server or the individual websites should be displayed, if you have carried out the settings successfully.
I hope as always that you liked the article and that it will help you. If you have any questions or suggestions, please write me a comment. Also read my other articles about Citrix ADC here.
Otherwise I am happy about a Like on Facebook, Xing or if you follow me on Twitter.The social media buttons are on top and on the bottom of my page. You can also share my article if you like.