Ciphers available on the Citrix ADC appliances

Your Citrix ADC appliance ships with a predefined set of cipher groups. To use ciphers that are not part of the DEFAULT cipher group, you have to explicitly bind them to an SSL virtual server. You can also create a user-defined cipher group to bind to the SSL virtual server. For more information about creating a user-defined cipher group, see Configure user-defined cipher groups on the ADC appliance.

Note:

RC4 cipher is not included in the default cipher group on the Citrix ADC appliance. However, it is supported in the software on the N3-based appliances. RC4 encryption, including the handshake, is done in software.

Citrix recommends that you do not use this cipher because it is considered insecure and deprecated by RFC 7465.

Use the ‘show hardware’ command to identify whether your appliance has N3 chips.

sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

Manufactured on: 8/19/2013

CPU: 2900MHZ

Host Id: 1006665862

Serial no: ENUK6298FT

Encoded serial no: ENUK6298FT
  • To display information about the cipher suites bound by default at the front end (to a virtual server), type: sh cipher DEFAULT
  • To display information about the cipher suites bound by default at the back end (to a service), type: sh cipher DEFAULT_BACKEND
  • To display information about all the cipher groups (aliases) defined on the appliance, type: sh cipher
  • To display information about all the cipher suites that are part of a specific cipher group, type: sh cipher <alias name>. For example, sh cipher ECDHE.

The following links list the cipher suites supported on different Citrix ADC platforms and on external hardware security modules (HSMs):

Note:

For DTLS cipher support, see DTLS cipher support on Citrix ADC VPX, MPX, and SDX appliances.

Table1 - Support on virtual server/frontend service/internal service:

Protocol/Platform MPX/SDX (N2) MPX/SDX (N3) VPX MPX 9700* FIPS with firmware 2.2 MPX/SDX 14000** FIPS MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.1/1.2 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0 all builds 11.0 all builds 11.0 all builds 11.0 all builds 11.0 all builds 11.0-70.x (only on MPX 5900/8900)
  10.5 all builds 10.5 all builds 10.5-57.x 10.5 58.1108.e 10.5-59.1359.e 10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-51.x 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0 all builds 11.0 all builds 11.0 all builds     11.0-70.114 (only on MPX 5900/8900)
  10.5-53.x 10.5-53.x 10.5 all builds 10.5-59.1306.e   10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
AES-GCM (Example TLS1.2-AES128-GCM-SHA256) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds 11.1 all builds 11.1-51.x (See note) 11.1-51.x (See note) 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0 all builds 11.0 all builds 11.0-66.x     11.0-70.114 (only on MPX 5900/8900)
  10.5-53.x 10.5-53.x       10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds 11.1 all builds 11.1-52.x 11.1-52.x 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0 all builds 11.0 all builds 11.0-66.x     11.0-72.x, 11.0-70.114 (only on MPX 5900/8900)
  10.5-53.x 10.5-53.x       10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA) Not supported 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  Not supported 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  Not supported 12.0 all builds 12.0-57.x Not applicable Not supported 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
    11.1 all builds       11.1-56.x, 11.1-54.126 (Only ECC curves P_256 and P_384 are supported.)
CHACHA20 Not supported 13.0 all builds 13.0 all builds Not supported Not supported 13.0 all builds
  Not supported Not supported 12.1 all builds Not supported Not supported 12.1-49.x (only on MPX 5900/8900)
  Not supported Not supported 12.0-56.x Not supported Not supported Not supported

Table 2 - Support on backend services:

Protocol/Platform MPX/SDX (N2) MPX/SDX (N3) VPX MPX 9700* FIPS with firmware 2.2 MPX/SDX 14000** FIPS MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.1/1.2 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0-50.x 11.0-50.x 11.0-66.x 11.0 all builds   11.0-70.119 (only on MPX 5900/8900)
  10.5-59.x 10.5-59.x   10.5-58.1108.e 10.5-59.1359.e 10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds 12.0-56.x 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds   11.1 all builds 11.1-51.x 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
  11.0-50.x 11.0-50.x       11.0-70.119 (only on MPX 5900/8900)
  10.5-58.x 10.5-58.x   10.5-59.1306.e   10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
AES-GCM (Example TLS1.2-AES128-GCM-SHA256) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds Not supported 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds   11.1-51.x 11.1-51.x 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256) 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  12.0 all builds 12.0 all builds Not supported 12.0 all builds 12.0 all builds 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
  11.1 all builds 11.1 all builds   11.1-52.x 11.1-52.x 11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA) Not supported 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds 13.0 all builds
  Not supported 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  Not supported 12.0 all builds 12.0-57.x Not applicable Not supported 12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
    11.1-51.x   Not applicable   11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G (Only ECC curves P_256 and P_384 are supported.)
CHACHA20 Not supported 13.0 all builds 13.0 all builds Not supported Not supported 13.0 all builds
  Not supported Not supported 12.1 all builds Not supported Not supported 12.1-49.x for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
  Not supported Not supported 12.0-56.x Not supported Not supported Not supported

For the detailed list of ECDSA ciphers supported, see ECDSA Cipher Suites support.

Note

  • TLS-Fallback_SCSV cipher suite is supported on all appliances from release 10.5 build 57.x

  • HTTP Strict Transport Security (HSTS) support is policy-based.

  • All SHA-2 signed-certificates (SHA256, SHA384, SHA512) are supported on the front end of all appliances. In release 11.1 build 54.x and later, these certificates are also supported on the back-end of all appliances. In release 11.0 and earlier, only SHA256 signed-certificates are supported on the back end of all appliances.

  • In release 11.1 build 52.x and earlier, the following ciphers are supported only on the frontend of the MPX 9700 and MPX/SDX 14000 FIPS appliances:
    • TLS1.2-ECDHE-RSA-AES-256-SHA384
    • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 From release 11.1 build 53.x, and in release 12.0, these ciphers are also supported on the back end.
  • All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

Ciphers available on the Citrix ADC appliances