This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS 1.2 only.
Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) is a big step and needs some investigation.
It seems to be easy: Just tick the TLS 1.3 checkbox, that’s it.
It’s not. It won’t work.
The reason is: You need to change the way your Citrix ADC / NetScaler deals with TLS. Different from previous versions, it needs an SSL profile and the way to deal with SSL is changed. This may lead to degraded security of existing SSL vServers! So I recommend taking a moment before proceeding!
The impact on existing vServers
We have to change an SSL parameter and because of this, all SSL vServers get reverted to the default SSL profile ns_default_ssl_profile_frontend. It will get the DEFAULT cypher group assigned. Grade in SSL Labs will (currently) get cut to B.
So changing the SSL parameter has to be well-planned!
I am quoting Citrix:
Actually that’s not precise. It does not overwrite but replaces existing profiles at vServers. These profiles still exist and all their settings got preserved. So we can reassign these profiles after setting them correctly.
Changing SSL Parameters
Binding Cypher groups to an SSL profile will fail, unless we change the SSL parameter “Default profile” to E
set ssl parameter -defaultProfile E
I didn’t find this parameter in GUI. But, to be 100% honest, I didn’t look for it very hard, rather hardly ;-).
Like mentioned above, this will change everything about SSL. But from now on, we are able and must to bing cypher groups to SSL profiles (just now, this rather insecure DEFAULT profile is bound to all existing cypher groups).
Cyphers to use
add ssl cipher APlus_Ciphers
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 16
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 32
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 48
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 64
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 80
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 96
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 112
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 128
The Citrix ADC / NetScaler SSL Profile
The SSL profile needed is not that different from a TLS 1.2 profile, except the cypher group bound to it and the setting enabling TLS 1.3.
That’s it! Go to SSL labs SSL test and test your deployment. Don’t forget to also test all other vServers that are currently existing on your Citrix ADC (NetScaler)!
Any suggestion and comment would be highly welcome!