Support for DTLS protocol

February 7, 2019

Contributed by: S

Note

DTLSv1.0 protocol is supported on Citrix MPX/SDX (N2 and N3 based) and VPX appliances. It is not supported on FIPS appliances, Intel Coleto SSL chip based appliances, and external HSMs.

The SSL and TLS protocols have traditionally been used to secure streaming traffic. Both of these protocols are based on TCP, which is very slow. In addition, TLS cannot handle lost or reordered packets.

UDP is the preferred protocol for audio and video applications, such as Lync, Skype, iTunes, YouTube, training videos, and flash. However, UDP is not secure or reliable. The DTLS protocol is designed to secure data over UDP and is used for applications such as media streaming, VOIP, and online gaming for communication. In DTLS, each handshake message is assigned a specific sequence number within that handshake. When a peer receives a handshake message, it can quickly determine whether that message is the next one expected. If it is, the peer processes the message. If not, the message is queued for handling after all the previous messages have been received.

You must create a DTLS virtual server and a service of type UDP. By default, a DTLS profile (nsdtls_default_profile) is bound to the virtual server. Optionally, you can create and bind a user-defined DTLS profile to the virtual server.

Note:

RC4 ciphers are not supported on a DTLS virtual server.

DTLS configuration

You can use the command line (CLI) or the configuration utility (GUI) to configure DTLS on your ADC appliance.

Create a DTLS configuration by using the CLI

At the command prompt, type:

add lb vserver <vserver_name> DTLS <IPAddress>  <port>
add service  <service_name>  <IPAddress> UDP 443
bind lb vserver  <vserver_name>  <udp_service_name>

The following steps are optional:

add dtlsProfile dtls1 -maxretryTime <positive_integer>
set ssl vserver <vserver_name> -dtlsProfileName <dtls_profile_name>

Create a DTLS configuration by using the GUI

Navigate to Traffic Management > Load Balancing > Virtual Servers.
Create a virtual server of type DTLS, and bind a UDP service to the virtual server.
A default DTLS profile is bound to the DTLS virtual server. To bind a different profile, in SSL Parameters, select a different DTLS profile. To create a new profile, click the plus (+) next to DTLS Profile.

Features not supported by a DTLS virtual server

The following options cannot be enabled on a DTLS virtual server:

SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Push encrypt trigger
SSLv2Redirect
SSLv2URL
SNI
Secure renegotiation

Parameters not used by a DTLS virtual server

The following SSL parameters, even if set, are ignored by a DTLS virtual server:

Encryption trigger packet count
PUSH encryption trigger timeout
SSL quantum size
Encryption trigger timeout
Subject/Issuer Name Insertion Format

Features not supported by a DTLS service

The following options cannot be enabled on a DTLS service:

SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Push encrypt trigger
SSLv2Redirect
SSLv2URL
SNI
Secure renegotiation

Parameters not used by a DTLS service

The following SSL parameters, even if set, are ignored by a DTLS service:

Encryption trigger packet count
PUSH encryption trigger timeout
SSL quantum size
Encryption trigger timeout
Subject/Issuer Name Insertion Format

Note:

SSL session reuse handshake fails on a DTLS service because session reuse is not currently supported on DTLS services.

Workaround: Manually disable session reuse on a DTLS service. At the CLI, type:
set ssl service <dtls-service-name> -sessReuse DISABLED

DTLS profile

A DTLS profile with the default settings is automatically bound to a DTLS virtual server. However, you can create a new DTLS profile with specific settings to suit your requirement.

You must use a DTLS profile with a DTLS virtual server or a VPN DTLS virtual server. You cannot use an SSL profile with a DTLS virtual server.

Create a DTLS profile by using the CLI

add ssl dtlsProfile <name>

show ssl dtlsProfile<name>

Example:

add dtlsProfile dtls1 -helloVerifyRequest ENABLED -maxretryTime 4

Done

show dtlsProfile dtls1

    1)      Name: dtls1

            PMTU Discovery: DISABLED

            Max Record Size: 1460 bytes

            Max Retry Time: 4 sec

            Hello Verify Request: ENABLED

            Terminate Session: DISABLED

            Max Packet Count: 120 bytes

     Done

Create a DTLS profile by using the GUI

Navigate to System > Profiles > DTLS Profiles and configure a new profile.

Example for an end-to-end DTLS configuration

enable ns feature SSL LB

add server s1 198.51.100.2

en ns mode usnip

add service svc_dtls s1 DTLS 443

add lb vserver v1 DTLS 10.102.59.244 443

bind ssl vserver v1 -ciphername ALL

add ssl certkey servercert -cert servercert_aia_valid.pem -key serverkey_aia.pem

bind ssl vserver v1 -certkeyname servercert

bind lb vserver lb1 svc_dtls

sh lb vserver v1

                    v1 (10.102.59.244:4433) - DTLS     Type: ADDRESS

                    State: UP

                    Last state change was at Fri Apr 27 07:00:27 2018

                    Time since last state change: 0 days, 00:00:04.810

                    Effective State: UP

                    Client Idle Timeout: 120 sec

                    Down state flush: ENABLED

                    Disable Primary Vserver On Down : DISABLED

                    Appflow logging: ENABLED

                    No. of Bound Services :  1 (Total) 0 (Active)

                    Configured Method: LEASTCONNECTION

                    Current Method: Round Robin, Reason: A new service is bound         BackupMethod: ROUNDROBIN

                    Mode: IP

                    Persistence: NONE

                    L2Conn: OFF

                    Skip Persistency: None

                    Listen Policy: NONE

                    IcmpResponse: PASSIVE

                    RHIstate: PASSIVE

                    New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

                    Mac mode Retain Vlan: DISABLED

                    DBS_LB: DISABLED

                    Process Local: DISABLED

                    Traffic Domain: 0

                    TROFS Persistence honored: ENABLED

                    Retain Connections on Cluster: NO

    1) svc_dtls (10.102.59.190: 4433) - DTLS State: UP  Weight: 1

Done

sh ssl vserver v1

                    Advanced SSL configuration for VServer v1:

                    DH: DISABLED

                    DH Private-Key Exponent Size Limit: DISABLED        Ephemeral RSA: ENABLED                               Refresh Count: 0

                    Session Reuse: ENABLED                 Timeout: 1800 seconds

                    Cipher Redirect: DISABLED

                    ClearText Port: 0

                    Client Auth: DISABLED

                    SSL Redirect: DISABLED

                    Non FIPS Ciphers: DISABLED

                    SNI: DISABLED

                    OCSP Stapling: DISABLED

                    HSTS: DISABLED

                    HSTS IncludeSubDomains: NO

                    HSTS Max-Age: 0

                    DTLSv1: ENABLED

                    Send Close-Notify: YES

                    Strict Sig-Digest Check: DISABLED

                    Zero RTT Early Data: DISABLED

                    DHE Key Exchange With PSK: NO

                    Tickets Per Authentication Context: 1

                    DTLS profile name: nsdtls_default_profile

                    ECC Curve: P_256, P_384, P_224, P_521

    1)            CertKey Name: servercert               Server Certificate

    1)            Cipher Name: DEFAULT

                    Description: Default cipher list with encryption strength >= 128bit

    2)            Cipher Name: ALL

                    Description: All ciphers supported by NetScaler, excluding NULL ciphers

     Done

sh service svc_dtls

                    svc_dtls (10.102.59.190:4433) - DTLS

                    State: UP

                    Last state change was at Fri Apr 27 07:00:26 2018

                    Time since last state change: 0 days, 00:00:22.790

                    Server Name: s1

                    Server ID : None                 Monitor Threshold : 0

                    Max Conn: 0        Max Req: 0           Max Bandwidth: 0 kbits

                    Use Source IP: NO

                    Client Keepalive(CKA): NO

                    Access Down Service: NO

                    TCP Buffering(TCPB): NO

                    HTTP Compression(CMP): NO

                    Idle timeout: Client: 120 sec           Server: 120 sec

                    Client IP: DISABLED

                    Cacheable: NO

                    SC: OFF

                    SP: OFF

                    Down state flush: ENABLED

                    Monitor Connection Close : NONE

                    Appflow logging: ENABLED

                    Process Local: DISABLED

                    Traffic Domain: 0

    1)            Monitor Name: ping-default

                                    State: UP               Weight: 1              Passive: 0

                                    Probes: 5              Failed [Total: 0 Current: 0]

                                    Last response: Success - ICMP echo reply received.

                                    Response Time: 2.77 millisec

     Done

sh ssl service svc_dtls

                    Advanced SSL configuration for Back-end SSL Service svc_dtls:

                    DH: DISABLED

                    DH Private-Key Exponent Size Limit: DISABLED        Ephemeral RSA: DISABLED

                    Session Reuse: ENABLED                 Timeout: 1800 seconds

                    Cipher Redirect: DISABLED

                    ClearText Port: 0

                    Server Auth: DISABLED

                    SSL Redirect: DISABLED

                    Non FIPS Ciphers: DISABLED

                    SNI: DISABLED

                    OCSP Stapling: DISABLED

                    DTLSv1: ENABLED

                    Send Close-Notify: YES

                    Strict Sig-Digest Check: DISABLED

                    Zero RTT Early Data: ???

                    DHE Key Exchange With PSK: ???

                    Tickets Per Authentication Context: ???

                    DTLS profile name: nsdtls_default_profile

                    ECC Curve: P_256, P_384, P_224, P_521

    1)            Cipher Name: DEFAULT_BACKEND

                    Description: Default cipher list for Backend SSL session

     Done

sh dtlsProfile nsdtls_default_profile

    1)            Name: nsdtls_default_profile

                    PMTU Discovery: DISABLED

                    Max Record Size: 1459 bytes

                    Max Retry Time: 3 sec

                    Hello Verify Request: DISABLED

                    Terminate Session: DISABLED

                    Max Packet Count: 120 bytes

Done

DTLS cipher support

How to read the tables:

Unless a build number is specified, a cipher suite is supported for all builds in a release.

Example:

10.5, 11.0, 11.1, 12.0, 12.1: All builds of 10.5, 11.0, 11.1, 12.0, 12.1 releases.
NA: not applicable.

DTLS cipher support on NetScaler VPX, MPX/SDX (N2 and N3 based) appliances

Cipher Suite Name	Hex Code	Wireshark Cipher Suite Name	Builds Supported (frontend)	Builds Supported (backend)
TLS1-AES-256-CBC-SHA	0x0035	TLS_RSA_WITH_AES_256_CBC_SHA	11.0, 11.1, 12.0, 12.1	12.0, 12.1
TLS1-AES-128-CBC-SHA	0x002f	TLS_RSA_WITH_AES_128_CBC_SHA	11.0, 11.1, 12.0, 12.1	12.0, 12.1
SSL3-DES-CBC-SHA	0x0009	TLS_RSA_WITH_DES_CBC_SHA	11.0, 11.1, 12.0, 12.1	NA
SSL3-DES-CBC3-SHA	0x000a	TLS_RSA_WITH_3DES_EDE_CBC_SHA	11.0, 11.1, 12.0, 12.1	12.0, 12.1
SSL3-EDH-RSA-DES-CBC3-SHA	0x0016	TLS_DHE_RSA_WITH_3DES_EDE_CBC_S	11.0, 11.1, 12.0, 12.1	NA
SSL3-EDH-RSA-DES-CBC-SHA	0x0015	TLS_DHE_RSA_WITH_DES_CBC_SHA	11.0, 11.1, 12.0, 12.1	NA
TLS1-ECDHE-RSA-AES256-SHA	0xc014	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	12.1	12.1
TLS1-ECDHE-RSA-AES128-SHA	0xc013	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	12.1	12.1
TLS1-ECDHE-RSA-DES-CBC3-SHA	0xc012	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA	12.1	NA
TLS1-DHE-RSA-AES-128-CBC-SHA	0x0033	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	12.1	12.1
TLS1-DHE-RSA-AES-256-CBC-SHA	0x0039	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	12.1	12.1

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Support for DTLS protocol

February 7, 2019

Contributed by: S

DTLS configuration
Features not supported by a DTLS virtual server
Parameters not used by a DTLS virtual server
Features not supported by a DTLS service
Parameters not used by a DTLS service
DTLS profile
Example for an end-to-end DTLS configuration
DTLS cipher support
DTLS cipher support on NetScaler VPX, MPX/SDX (N2 and N3 based) appliances

Edit this article

Support for DTLS protocol

DTLS configuration

Create a DTLS configuration by using the CLI

Create a DTLS configuration by using the GUI

Features not supported by a DTLS virtual server

Parameters not used by a DTLS virtual server

Features not supported by a DTLS service

Parameters not used by a DTLS service

DTLS profile

Create a DTLS profile by using the CLI

Create a DTLS profile by using the GUI

Example for an end-to-end DTLS configuration

DTLS cipher support

DTLS cipher support on NetScaler VPX, MPX/SDX (N2 and N3 based) appliances

Support for DTLS protocol

In this article