Enabling ECDHE ciphers in NetScaler 10.5

last update: February 7th 2017

Similar but newer posts: Changing my Citrix NetScaler VPX based website from http to https and scoring an A+ in SSL labs test and Making a NetScaler Gateway on NetScaler 11 a bit more secure

ECDHE Ciphers, this means, Elliptic curve Diffie–Hellman type of cyphers, add additional security to a NetScaler. If we want to use this kind of cyphers we need to create a DH key and enable curves.

Creating the key (optional, not needed if you want to go with ECDHE cyphers)

I thought this is a mandatory step, however it’s not. We don’t need to create and bind a DH key. Stefan Wendrich corrected me about that.

The first thing to do is creating the key. This can be done from trafic management -> SSL

EDH-Key1

creating an ECDH-Key

give your key a name. DH paraeter size may be 512, 1024 or 2048. The smaller the key size, the less burden for your NetScaler, the larger it is the more secure. I tend to go with 2048. I have no preference for DH generator parameters. It takes some wile to create this key!

Enabling DH with a vServer

Diffie Hellmanhas to be enabled on a vServer.

ECDH-Parameters

Most important: Select Protocols. If you don’t need to support legacy OS like Internetexplorer on Windows ‘9x you should disable SSL V3. Most modern OS support TLS 1.2, however some don’t, so you may want to leave TLS v1 and 1.1 enabled, enable the most current one, TLS 1.2!

Enable DH. You may set up a refresh count, 0 means no refresh. Refreshing means recreating a DH key pair. Refresh is a burden for your NetScaler (especially for a VPX!), so don’t set this parameter too small; leave it to 0 if you’re concerned about CPU waste and give a sh** on security!

Select your DH key created before by browsing for it. They should be located in /nsconfig/ssl.

Enable DH Key Expire Size Limit. This will set the private key size to a proper value

Enabling curves

ECDH-curves
There is a set of 4 curves available with ECDH:

  • P_256
  • P_384
  • P_224 (not supported with TLS 1.2 on MPX)
  • P_521 (not supported with TLS 1.2 on MPX)

None of them is enabled (this depends on NetScaler version). Click the + sign at the right side and enable curves. I usually enable all curves.

Selecting SSL cyphers for a vServer

Last not east you’ll have to select cyphers. The cyphers I selected are:

  • TLS1-ECDHE-RSA-AES256-SHA
  • TLS1.2-ECDHE-RSA-AES-256-SHA384
  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 No more considered to be secure see CTX220329
  • TLS1-AES-256-CBC-SHA

TLS1-AES-256-CBC-SHA is for backward compatibility only: it will be used if some client does not support ECDHE. This cypher suite does not support forward secrecy.

6 thoughts on “Enabling ECDHE ciphers in NetScaler 10.5

  1. Pingback: Making a NetScaler Gateway on NetScaler 11 a bit more secure | JustAnotherCitrixBlog

  2. Pingback: Changing my Citrix NetScaler VPX based website from http to https and scoring an A+ in SSL labs test – JustAnotherCitrixBlog

Leave a Reply

Your email address will not be published. Required fields are marked *