Citrix ADC / NetScaler and TLS 1.3

SSL on Citrix NetScaler ADCThis is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS 1.2 only.

Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) is a big step and needs some investigation.

The problem?

It seems to be easy: Just tick the TLS 1.3 checkbox, that’s it.

It’s not. It won’t work.

The reason is: You need to change the way your Citrix ADC / NetScaler deals with TLS. Different from previous versions, it needs an SSL profile and the way to deal with SSL is changed. This may lead to degraded security of existing SSL vServers! So I recommend taking a moment before proceeding!

The impact on existing vServers

We have to change an SSL parameter and because of this, all SSL vServers get reverted to the default SSL profile ns_default_ssl_profile_frontend. It will get the DEFAULT cypher group assigned. Grade in SSL Labs will (currently) get cut to B.

So changing the SSL parameter has to be well-planned!

I am quoting Citrix:

NOTE: When the command ‘setssl parameter -defaultProfile E’ is executed, the Enhanced SSL profile settings will override the existing SSL profile settings bound on the Vserver as well as on the Vservice. Hence, take a backup of existing configuration before executing the above command. So that, customer can check the ns.conf and manually edit the SSL profile settings of specific Vserver with required parameters.

Actually that’s not precise. It does not overwrite but replaces existing profiles at vServers. These profiles still exist and all their settings got preserved. So we can reassign these profiles after setting them correctly.

Changing SSL Parameters

Binding Cypher groups to an SSL profile will fail, unless we change the SSL parameter “Default profile” to E

set ssl parameter -defaultProfile E

I didn’t find this parameter in GUI. But, to be 100% honest, I didn’t look for it very hard, rather hardly ;-).

Like mentioned above, this will change everything about SSL. But from now on, we are able and must to bing cypher groups to SSL profiles (just now, this rather insecure DEFAULT profile is bound to all existing cypher groups).

Cyphers to use

I discussed cypher groups precisely, so I skip this here. I just give a Citrix ADC / NetScaler command to create a cyphers group currently scoring an A+ in SSL labs.

Keep in Mind:
“The best” Cypher groups don’t exist. Security recommendations are constantly changing. So don’t trust my list!
Keep testing and testing and testing!


add ssl cipher APlus_Ciphers
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 16
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 32
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 48
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 64
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 80
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 96
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 112
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 128

The Citrix ADC / NetScaler SSL Profile

The SSL profile needed is not that different from a TLS 1.2 profile, except the cypher group bound to it and the setting enabling TLS 1.3.

A Citrix NetScaler SSL profile for TLS 1.2 and 1.3Next, we have to bind the right cypher group and un-bind DEFAULT cyphers.

NetScaler: Edid cypher group for TLS 1.3

That’s it! Go to SSL labs SSL test and test your deployment. Don’t forget to also test all other vServers that are currently existing on your Citrix ADC (NetScaler)!

Any suggestion and comment would be highly welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *