Citrix ADC / NetScaler and TLS 1.3

SSL on Citrix NetScaler ADCLast change: December 7th 2020. Thanks to Dirk Bautz!

This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS versions up to 1.2 only.

Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) may be a big step with some obstacles to overcome. It needs some investigation.

The problem?

It seems to be easy: Just tick the TLS 1.3 checkbox, that’s it.

It’s not. It won’t work. All connections will still be TLS 1.2, or, even worse, connections may even fail. My college Dirk Bautz didn’t agree, he was able to just enable TLS 1.3 successfully, but I was not. We had a debate about it. He proved, he was right (but I’m not an idiot, so there must have been something!)

The reason is: If you use SSL profiles, Citrix ADC / NetScaler will not allow TLS 1.3. However, I want to use SSL profiles, as they allow way more stream-lined SSL handling. At the same time, I wanted to be able to use TLS 1.3 as well. Following CTX259045, we have to change the way, SSL/TLS is handled by Citrix ADC / NetScaler. This may lead to temporarily degraded security of existing SSL vServers! So I recommend taking a moment before proceeding!


The impact on existing vServers

We have to change an SSL parameter and because of this, all SSL vServers get reverted to the default SSL profile ns_default_ssl_profile_frontend. It will get the DEFAULT cypher group assigned. Grade in SSL Labs will (currently) temporarely get cut to B.

So changing the SSL parameter has to be well-planned!

I am quoting Citrix:

NOTE: When the command ‘setssl parameter -defaultProfile E‘ is executed, the Enhanced SSL profile settings will override the existing SSL profile settings bound on the Vserver as well as on the Vservice. Hence, take a backup of existing configuration before executing the above command. So that, customer can check the ns.conf and manually edit the SSL profile settings of specific Vserver with required parameters.

Actually, that’s not precise. It does not overwrite but replaces existing profiles with the default profile. The original profiles still exist and all their settings got preserved. So we can reassign these profiles after setting them correctly.

Attention!
Enabling default profiles is a one-way procedure. There is no way back! The only way to undo this change is a reboot (before saving the configuration)


Changing SSL Parameters

Binding Cypher groups to an SSL profile will fail, unless we change the SSL parameter “Default profile” to E

set ssl parameter -defaultProfile E

Like mentioned above, this will change everything about SSL. It’s non-reversible. But from now on, we are able to bind cypher groups to SSL profiles (just now, this rather insecure DEFAULT profile is bound to all existing SSL-profiles).


Cyphers to use

I discussed cypher groups precisely, so I skip this here. I just give a Citrix ADC / NetScaler command to create a cyphers group currently scoring an A+ in SSL labs.

Keep in Mind:
“The best” Cypher groups don’t exist. Security recommendations are constantly changing. So don’t trust my list! It had been a good list in December 2020, it may be a horrible one right now!
Keep testing and testing and testing!

 

add ssl cipher APlus_Ciphers
#in case you don't use WorkSpace App. It does not support ChaCha cyphers:
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 16
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 32
bind ssl cipher APlus_Ciphers -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 48
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 64
#in case you don't use WorkSpace App. It does not support ChaCha cyphers:
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 80
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 96
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 112
bind ssl cipher APlus_Ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 128


The Citrix ADC / NetScaler SSL Profile

The SSL profile needed is not that different from a TLS 1.2 profile, except the cypher group bound to it and the setting enabling TLS 1.3.

A Citrix NetScaler SSL profile for TLS 1.2 and 1.3Next, we have to bind the right cypher group and un-bind DEFAULT cyphers.


NetScaler: Edid cypher group for TLS 1.3

That’s it! Go to SSL labs SSL test and test your deployment. Don’t forget to also test all other vServers that are currently existing on your Citrix ADC (NetScaler)!


Any suggestion and comment would be highly welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *