Citrix ADC

Ciphers available on the Citrix ADC appliances

September 21, 2020

Contributed by:

Your Citrix ADC appliance ships with a predefined set of cipher groups. To use ciphers that are not part of the DEFAULT cipher group, you have to explicitly bind them to an SSL virtual server. You can also create a user-defined cipher group to bind to the SSL virtual server. For more information about creating a user-defined cipher group, see Configure user-defined cipher groups on the ADC appliance.

Notes:

RC4 cipher is not included in the default cipher group on the Citrix ADC appliance. However, it is supported in the software on the N3-based appliances. RC4 encryption, including the handshake, is done in software.

Citrix recommends that you do not use this cipher because it is considered insecure and deprecated by RFC 7465.

Use the ‘show hardware’ command to identify whether your appliance has N3 chips.

sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

Manufactured on: 8/19/2013

CPU: 2900MHZ

Host Id: 1006665862

Serial no: ENUK6298FT

Encoded serial no: ENUK6298FT

To display information about the cipher suites bound by default at the front end (to a virtual server), type: sh cipher DEFAULT
To display information about the cipher suites bound by default at the back end (to a service), type: sh cipher DEFAULT_BACKEND
To display information about all the cipher groups (aliases) defined on the appliance, type: sh cipher
To display information about all the cipher suites that are part of a specific cipher group, type: sh cipher <alias name>. For example, sh cipher ECDHE.

The following links list the cipher suites supported on different Citrix ADC platforms and on external hardware security modules (HSMs):

Citrix ADC MPX/SDX (N3) appliance: Cipher support on a Citrix ADC MPX/SDX (N3) appliance
Citrix ADC MPX/SDX Intel Coleto appliance: Cipher support on a Citrix ADC MPX/SDX Intel Coleto SSL chip based appliance
Citrix ADC VPX appliance: Cipher support on a Citrix ADC VPX appliance
Citrix ADC MPX/SDX 14000 FIPS appliance: Cipher support on a Citrix ADC MPX/SDX 14000 FIPS appliance
External HSM (Thales/Safenet): Cipher supported on an External HSM (Thales/Safenet)
Citrix ADC MPX/SDX (N2) appliance: Cipher support on a Citrix ADC MPX/SDX (N2) appliance
Citrix ADC MPX 9700 FIPS appliance: Cipher support on a Citrix ADC MPX 9700 FIPS with firmware 2.2
Citrix ADC VPX FIPS and MPX FIPS certified appliances: Cipher support on Citrix ADC VPX FIPS and MPX FIPS certified appliances

Note:

For DTLS cipher support, see DTLS cipher support on Citrix ADC VPX, MPX, and SDX appliances.

Table1 - Support on virtual server/frontend service/internal service:

Crypto operations on TLS 1.3 are not offloaded to crypto acceleration chips. All computation for TLS 1.3 handshakes is done in software on all supported platforms, even if Coleto or Cavium acceleration chips are present.

Protocol/Platform	MPX/SDX (N2)	MPX/SDX (N3)	VPX	MPX 9700* FIPS with firmware 2.2	MPX/SDX 14000** FIPS	MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.3	13.0 all builds	13.0 all builds	13.0 all builds	Not supported	Not supported	13.0 all builds
	12.1-50.x	12.1-50.x	12.1-50.x	Not supported	Not supported	12.1-50.x
TLS 1.1/1.2	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds	11.1 all builds	11.1 all builds	11.1 all builds	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0 all builds	11.0 all builds	11.0 all builds	11.0 all builds	11.0 all builds	11.0-70.x (only on MPX 5900/8900)
	10.5 all builds	10.5 all builds	10.5-57.x	10.5 58.1108.e	10.5-59.1359.e	10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds	11.1 all builds	11.1 all builds	11.1-51.x	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0 all builds	11.0 all builds	11.0 all builds			11.0-70.114 (only on MPX 5900/8900)
	10.5-53.x	10.5-53.x	10.5 all builds	10.5-59.1306.e		10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
AES-GCM (Example TLS1.2-AES128-GCM-SHA256)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds	11.1 all builds	11.1-51.x (See note)	11.1-51.x (See note)	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0 all builds	11.0 all builds	11.0-66.x			11.0-70.114 (only on MPX 5900/8900)
	10.5-53.x	10.5-53.x				10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds	11.1 all builds	11.1-52.x	11.1-52.x	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0 all builds	11.0 all builds	11.0-66.x			11.0-72.x, 11.0-70.114 (only on MPX 5900/8900)
	10.5-53.x	10.5-53.x				10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA)	Not supported	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	Not supported	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	Not supported	12.0 all builds	12.0-57.x	Not applicable	Not supported	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
		11.1 all builds				11.1-56.x, 11.1-54.126 (Only ECC curves P_256 and P_384 are supported.)
CHACHA20	Not supported	13.0 all builds	13.0 all builds	Not supported	Not supported	13.0 all builds
	Not supported	Not supported	12.1 all builds	Not supported	Not supported	12.1-49.x (only on MPX 5900/8900)
	Not supported	Not supported	12.0-56.x	Not supported	Not supported	Not supported

Table 2 - Support on backend services:

TLS 1.3 is not supported on the back end.

Protocol/Platform	MPX/SDX (N2)	MPX/SDX (N3)	VPX	MPX 9700* FIPS with firmware 2.2	MPX/SDX 14000** FIPS	MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.1/1.2	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds	11.1 all builds	11.1 all builds	11.1 all builds	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0-50.x	11.0-50.x	11.0-66.x	11.0 all builds		11.0-70.119 (only on MPX 5900/8900)
	10.5-59.x	10.5-59.x		10.5-58.1108.e	10.5-59.1359.e	10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	12.0-56.x	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds		11.1 all builds	11.1-51.x	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
	11.0-50.x	11.0-50.x				11.0-70.119 (only on MPX 5900/8900)
	10.5-58.x	10.5-58.x		10.5-59.1306.e		10.5-67.x, 10.5-63.47 (only on MPX 5900/8900)
AES-GCM (Example TLS1.2-AES128-GCM-SHA256)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	Not supported	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds		11.1-51.x	11.1-51.x	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256)	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	12.0 all builds	12.0 all builds	Not supported	12.0 all builds	12.0 all builds	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
	11.1 all builds	11.1 all builds		11.1-52.x	11.1-52.x	11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA)	Not supported	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds	13.0 all builds
	Not supported	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds	12.1 all builds for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	Not supported	12.0 all builds	12.0-57.x	Not applicable	Not supported	12.0 all builds for MPX 5900/8900, 12.0-57.x for MPX 15000-50G, 12.0-60.x for MPX 26000-100G
		11.1-51.x		Not applicable		11.1-56.x for MPX 5900/8900 and MPX 15000-50G, 11.1-60.x for MPX 26000-100G (Only ECC curves P_256 and P_384 are supported.)
CHACHA20	Not supported	13.0 all builds	13.0 all builds	Not supported	Not supported	13.0 all builds
	Not supported	Not supported	12.1 all builds	Not supported	Not supported	12.1-49.x for MPX 5900/8900, 12.1-50.x for MPX 15000-50G and MPX 26000-100G
	Not supported	Not supported	12.0-56.x	Not supported	Not supported	Not supported

For the detailed list of ECDSA ciphers supported, see ECDSA Cipher Suites support.

Note

TLS-Fallback_SCSV cipher suite is supported on all appliances from release 10.5 build 57.x

HTTP Strict Transport Security (HSTS) support is policy-based.

All SHA-2 signed-certificates (SHA256, SHA384, SHA512) are supported on the front end of all appliances. In release 11.1 build 54.x and later, these certificates are also supported on the back-end of all appliances. In release 11.0 and earlier, only SHA256 signed-certificates are supported on the back end of all appliances.

In release 11.1 build 52.x and earlier, the following ciphers are supported only on the front end of the MPX 9700 and MPX/SDX 14000 FIPS appliances:

TLS1.2-ECDHE-RSA-AES-256-SHA384

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 From release 11.1 build 53.x, and in release 12.0, these ciphers are also supported on the back end.

All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Ciphers available on the Citrix ADC appliances

September 21, 2020

Contributed by:

September 21, 2020

Contributed by:

Ciphers available on the Citrix ADC appliances

In this article