-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
View PDF
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
ECDSA cipher suites support
ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.
The following NetScaler appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group:
- NetScaler MPX and SDX appliances with N3 chips
- NetScaler MPX 5900/8900
- NetScaler SDX 8900
- NetScaler VPX appliances
To support ECDSA cipher suites on a NetScaler SDX appliance, an SSL core must be assigned to the VPX instance.
When the ECDHE_ECDSA cipher group is used, the server’s certificate must contain an ECDSA-capable public key.
Example:
sh ssl cipher ECDSA
1) Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA Priority : 1
Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA1 HexCode=0xc00a
2) Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA Priority : 2
Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA1 HexCode=0xc009
3) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384 Priority : 3
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA-384 HexCode=0xc024
4) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256 Priority : 4
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA-256 HexCode=0xc023
5) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 5
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc02c
6) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 6
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02b
7) Cipher Name: TLS1-ECDHE-ECDSA-DES-CBC3-SHA Priority : 7
Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=3DES(168) Mac=SHA1 HexCode=0xc008
8) Cipher Name: TLS1-ECDHE-ECDSA-RC4-SHA Priority : 8
Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=RC4(128) Mac=SHA1 HexCode=0xc007
9) Cipher Name: TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 Priority : 9
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD HexCode=0xcca9
Done
The following table lists the ECDSA ciphers that are supported on the NetScaler MPX and SDX appliances with N3 chips, MPX 5900, and MPX/SDX 8900 appliances.
Cipher Name |
Priority |
Description |
Key Exchange Algorithm |
Authentication Algorithm |
Encryption Algorithm (Key Size) |
Message Authentication Code (MAC) Algorithm |
HexCode |
TLS1-ECDHE-ECDSA-AES128-SHA |
1 |
SSLv3 |
ECC-DHE |
ECDSA |
AES(128) |
SHA1 |
0xc009 |
TLS1-ECDHE-ECDSA-AES256-SHA |
2 |
SSLv3 |
ECC-DHE |
ECDSA |
AES(256) |
SHA1 |
0xc00a |
TLS1.2-ECDHE-ECDSA-AES128-SHA256 |
3 |
TLSv1.2 |
ECC-DHE |
ECDSA |
AES(128) |
SHA-256 |
0xc023
|
TLS1.2-ECDHE-ECDSA-AES256-SHA384 |
4 |
TLSv1.2 |
ECC-DHE |
ECDSA |
AES(256) |
SHA-384 |
0xc024
|
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 |
5 |
TLSv1.2 |
ECC-DHE |
ECDSA |
AES-GCM(128) |
SHA-256 |
0xc02b
|
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 |
6 |
TLSv1.2 |
ECC-DHE |
ECDSA |
AES-GCM(256) |
SHA-384 |
0xc02c
|
TLS1-ECDHE-ECDSA-RC4-SHA |
7 |
SSLv3 |
ECC-DHE |
ECDSA |
RC4(128) |
SHA1 |
0xc007
|
TLS1-ECDHE-ECDSA-DES-CBC3-SHA |
8 |
SSLv3 |
ECC-DHE |
ECDSA |
3DES(168) |
SHA1 |
0xc008
|
| TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 |
9 | TLSv1.2 |
ECC-DHE |
ECDSA |
CHACHA20/POLY1305(256) |
AEAD |
0xcca9 |
Important
Use the show ns hardware command to find out if your appliance has N3 chips.
Example:
sh ns hardware
Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100
Manufactured on: 8/19/2013
CPU: 2900MHZ
Host Id: 1006665862
Serial no: ENUK6298FT
Encoded serial no: ENUK6298FT
Done
ECDSA/RSA cipher and certificate selection
You can bind both ECDSA and RSA server certificates at the same time to an SSL virtual server. When both ECDSA and RSA certificates are bound to the virtual server, it automatically selects the appropriate server certificate to present to the client. If the client cipher list includes RSA ciphers, but does not include ECDSA ciphers, the virtual server presents the RSA server certificate. If both ciphers are present in the client’s list, then the server certificate presented depends on the cipher priority set on the virtual server. That is, if RSA has a higher priority, the RSA certificate is presented. If ECDSA has a higher priority, the ECDSA certificate is presented to the client.
Client authentication by using an ECDSA or an RSA certificate
For client authentication, the CA certificate bound to the virtual server can be ECDSA or RSA signed. The appliance supports a mixed certificate chain. For example, the following certificate chain is supported.
Client certificate (ECDSA) <-> CA certificate (RSA) <-> Intermediate certificate (RSA) <-> Root certificate (RSA)
Note
ECDSA certificates with only the following curves are supported:
- prime256v1
- secp384r1
- secp521r1 (VPX only)
- secp224r1 (VPX only)
ECDSA cipher suites support
Share