Product Documentation

Ciphers available on the Citrix ADC appliances

Your Citrix ADC appliance ships with a predefined set of cipher groups. To use ciphers that are not part of the DEFAULT cipher group, you have to explicitly bind them to an SSL virtual server. You can also create a user-defined cipher group to bind to the SSL virtual server. For more information about creating a user-defined cipher group, see Configure user-defined cipher groups on the ADC appliance.

  • To display information about the cipher suites bound by default at the front end (to a virtual server), type: sh cipher DEFAULT
  • To display information about the cipher suites bound by default at the back end (to a service), type: sh cipher DEFAULT_BACKEND
  • To display information about all the cipher groups (aliases) defined on the appliance, type: sh cipher
  • To display information about all the cipher suites that ar part of a specific cipher group, type: sh cipher <alias name>. For example, sh cipher ECDHE.

The following links list the cipher suites supported on different Citrix ADC platforms and on external hardware security modules (HSMs):

Note:

For DTLS cipher support, see DTLS cipher support on Citrix ADC VPX, MPX, and SDX appliances.

Table1 - Support on virtual server/frontend service/internal service:

Protocol/Platform MPX/SDX (N2) MPX/SDX (N3) VPX MPX 9700* FIPS with firmware 2.2 MPX/SDX 14000** FIPS MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.1/1.2 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-56.x, 11.1-54.126
  11.0 all builds 11.0 all builds 11.0 all builds 11.0 all builds 11.0 all builds 11.0-70.114
  10.5 all builds 10.5 all builds 10.5-57.x 10.5 58.1108.e 10.5-59.1359.e 10.5-67.x, 10.5-63.47
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-51.x 11.1-56.x, 11.1-54.126
  11.0 all builds 11.0 all builds 11.0 all builds     11.0-70.114
  10.5-53.x 10.5-53.x 10.5 all builds 10.5-59.1306.e   10.5-67.x, 10.5-63.47
AES-GCM (Example TLS1.2-AES128-GCM-SHA256) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds 11.1 all builds 11.1-51.x (See note) 11.1-51.x (See note) 11.1-56.x, 11.1-54.126
  11.0 all builds 11.0 all builds 11.0-66.x     11.0-70.114
  10.5-53.x 10.5-53.x       10.5-67.x, 10.5-63.47
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds 11.1 all builds 11.1-52.x 11.1-52.x 11.1-56.x, 11.1-54.126
  11.0 all builds 11.0 all builds 11.0-66.x     11.0-72.x, 11.0-70.114
  10.5-53.x 10.5-53.x       10.5-67.x, 10.5-63.47
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  Not supported 12.0 all builds 12.0-57.x Not applicable Not supported  
    11.1 all builds       11.1-56.x, 11.1-54.126 (Only ECC curves P_256 and P_384 are supported.)
CHACHA20 Not supported Not supported 12.1 all builds Not supported Not supported 12.1-49.x (only on MPX 5900/8900)
  Not supported Not supported 12.0-56.x Not supported Not supported Not supported

Table 2 - Support on backend services:

Protocol/Platform MPX/SDX (N2) MPX/SDX (N3) VPX MPX 9700* FIPS with firmware 2.2 MPX/SDX 14000** FIPS MPX 5900/8900 MPX 15000-50G MPX 26000-100G
TLS 1.1/1.2 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1 all builds 11.1-56.x, 11.1-54.126
  11.0-50.x 11.0-50.x 11.0-66.x 11.0 all builds   11.0-70.119
  10.5-59.x 10.5-59.x   10.5-58.1108.e 10.5-59.1359.e 10.5-67.x, 10.5-63.47
ECDHE/DHE (Example TLS1-ECDHE-RSA-AES128-SHA) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds 12.0-56.x 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds   11.1 all builds 11.1-51.x 11.1-56.x, 11.1-54.126
  11.0-50.x 11.0-50.x       11.0-70.119
  10.5-58.x 10.5-58.x   10.5-59.1306.e   10.5-67.x, 10.5-63.47
AES-GCM (Example TLS1.2-AES128-GCM-SHA256) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds Not supported 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds   11.1-51.x 11.1-51.x 11.1-56.x, 11.1-54.126
SHA-2 Ciphers (Example TLS1.2-AES-128-SHA256) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  12.0 all builds 12.0 all builds Not supported 12.0 all builds 12.0 all builds  
  11.1 all builds 11.1 all builds   11.1-52.x 11.1-52.x 11.1-56.x, 11.1-54.126
ECDSA (Example TLS1-ECDHE-ECDSA-AES256-SHA) 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds 12.1 all builds (only on MPX 5900/8900)
  Not supported 12.0 all builds 12.0-57.x Not applicable Not supported  
    11.1-51.x   Not applicable   11.1-56.x, 11.1-54.126 (Only ECC curves P_256 and P_384 are supported.)
CHACHA20 Not supported Not supported 12.1 all builds Not supported Not supported 12.1-49.x (only on MPX 5900/8900)
  Not supported 12.0-56.x Not supported Not supported Not supported  

For the detailed list of ECDSA ciphers supported, see ECDSA Cipher Suites support.

Note

  • TLS-Fallback_SCSV cipher suite is supported on all appliances from release 10.5 build 57.x

  • HTTP Strict Transport Security (HSTS) support is policy-based.

  • All SHA-2 signed-certificates (SHA256, SHA384, SHA512) are supported on the front end of all appliances. In release 11.1 build 54.x and later, these certificates are also supported on the back-end of all appliances. In release 11.0 and earlier, only SHA256 signed-certificates are supported on the back end of all appliances.

  • In release 11.1 build 52.x and earlier, the following ciphers are supported only on the frontend of the MPX 9700 and MPX/SDX 14000 FIPS appliances:
    • TLS1.2-ECDHE-RSA-AES-256-SHA384
    • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 From release 11.1 build 53.x, and in release 12.0, these ciphers are also supported on the back end.
  • All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

Ciphers available on the Citrix ADC appliances

In this article