My last blog about securing Netscaler VPX was about Netscaler 10.5.57, which was the first firmware with TLS 1.1 and TLS 1.2 support. After the update and activating TLS 1.1/TLS1.2 (and disabling SSLv3 of course) the rating at https://www.ssllabs.com/ssltest/ is an „A“ with is pretty good, but also gives us room for more optimization.
Custom Ciphers
The first thing we should optimize are the used ciphers. My suggestion here is to start with an new custom cipher suite.
add ssl cipher SECURE-Ciphers
Add the secure and supported ciphers on a VPX (this list may change if you are working on a hardware appliance. Important is to take care about disabling RC4 ciphers).
bind ssl cipher SECURE-Ciphers -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 1 bind ssl cipher SECURE-Ciphers -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 2 bind ssl cipher SECURE-Ciphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 3 bind ssl cipher SECURE-Ciphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 4 bind ssl cipher SECURE-Ciphers -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 5 bind ssl cipher SECURE-Ciphers -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 6 bind ssl cipher SECURE-Ciphers -cipherName SSL3-DES-CBC3-SHA -cipherPriority 7
Bind the group to your SSL vServer:
bind ssl vserver myNetscalerGateway -cipherName SECURE-Ciphers
eccCurves
To support the ECDHE cipher you also need bind the eccCurves with the following command:
bind ssl vs myNetscalerGateway -eccCurveName ALL
HTTP Strict Transport Security (HSTS)
Another thing SSL labs takes care about is HTTP Strict Transport Security (HSTS) which is supported by default in the latest browsers. You can insert this with a simple rewrite rule in the response (!) headers of your web server:
add rewrite action rew_act_strict_transport insert_http_header Strict-Transport-Security "\"max-age=15768000\""
add rewrite policy Pol_Rew_strict_transport_sec true rew_act_strict_transport
bind cs vserver CS_vServername -policyname Pol_Rew_strict_transport_sec -priority 100 -gotoPriorityExpression END -type RESPONSE
DH-Key
Of course all the „default“ settings are still valid. So to get a real secure vServer you still need to create a DH-Key for your appliance and bind it to your vServer:
create ssl dhparam Key-DH-1 2048 -gen 5
set ssl vserver CS_vServername -dh ENABLED -dhFile "/nsconfig/ssl/Key-DH-1"
Secure Renegotiation
You should also implement the workaround to a security vulnerability in Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols
set ssl parameter -denySSLReneg Frontend_Client
That’s it. With these optimizations you should be able to get the prefered rating of „A+“. But it’s strongly recommended to test your environment after these changes.
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).