Product Documentation

TLSv1.3 protocol support as defined in RFC 8446

The Citrix ADC VPX and Citrix ADC MPX appliances now support the TLSv1.3 protocol, specified in RFC 8446.

Note: Citrix ADC MPX appliances having N3 chips are supported. Use the “show hardware” command to identify whether your appliance has N3 chips.

sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100
…

Done

To use TLS1.3, you must use a client that conforms to the RFC 8446 specification.

Supported Citrix ADC features

The following SSL features are supported:

  1. TLSv1.3 cipher suites:
    • TLS1.3-AES256-GCM-SHA384 (0x1302)
    • TLS1.3_CHACHA20_POLY1305_SHA256 (0x1303) (supported only on VPX, and VPX instance on SDX without SSL chip assigned)
    • TLS1.3-AES128_GCM-SHA256 (0x1301)
  2. ECC curves for ephemeral Diffie-Hellman key exchange:
    • P_256
    • P_384
    • P_521
  3. Abbreviated handshakes when ticket-based session resumption is enabled

  4. 0-RTT early application data

  5. Optional or mandatory certificate-based client authentication, with support for OCSP and/or CRL validation of client certificates

  6. Server name extension: server certificate selection by using SNI

  7. Application protocol negotiation (ALPN) by using the application_level_protocol_negotiation extension.

  8. OCSP stapling

  9. Log messages and AppFlow records are produced for TLSv1.3 handshakes.

  10. Optional logging of TLS 1.3 traffic secrets by the nstrace packet capture utility.

Configuration

TLSv1.3 is disabled by default on an SSL profile.

Add an SSL profile by using the CLI

At the command prompt, type:

add ssl profile <tls13-profile-name>

Example:

add ssl profile tls13profile
sh ssl profile tls13profile
1)  Name: tls13profile           (Front-End)
    SSLv3: DISABLED               TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
    Client Auth: DISABLED
    Use only bound CA certificates: DISABLED
    Strict CA checks:   NO
    Session Reuse: ENABLED                       Timeout: 120 seconds
    DH: DISABLED
    DH Private-Key Exponent Size Limit: DISABLED   Ephemeral RSA: ENABLED                            Refresh Count: 0
    Deny SSL Renegotiation                                ALL
    Non FIPS Ciphers: DISABLED
    Cipher Redirect: DISABLED
    SSL Redirect: DISABLED
    Send Close-Notify: YES
    Strict Sig-Digest Check: DISABLED
    Zero RTT Early Data: DISABLED
    DHE Key Exchange With PSK: NO
    Tickets Per Authentication Context: 1
    Push Encryption Trigger: Always
    PUSH encryption trigger timeout:             1 ms
    SNI: DISABLED
    OCSP Stapling: DISABLED
    Strict Host Header check for SNI enabled SSL sessions: NO
    Push flag:            0x0 (Auto)
    SSL quantum size:                            8 kB
    Encryption trigger timeout           100 mS
    Encryption trigger packet count:               45
    Subject/Issuer Name Insertion Format: Unicode

    SSL Interception: DISABLED
    SSL Interception OCSP Check: ENABLED
    SSL Interception End to End Renegotiation: ENABLED
    SSL Interception Maximum Reuse Sessions per Server:  10
    Session Ticket: DISABLED
    HSTS: DISABLED
    HSTS IncludeSubDomains: NO
    HSTS Max-Age: 0

    ECC Curve: P_256, P_384, P_224, P_521

1)  Cipher Name: DEFAULT Priority :1
    Description: Predefined Cipher Alias
Done

SSL profile parameters for TLSv1.3 protocol

  1. Enable or disable TLS1.3 parameters in an SSL profile.

    tls13: State of TLSv1.3 protocol support for the SSL profile.

    Possible values: ENABLED, DISABLED

    Default value: DISABLED

set ssl profile tls13profile -tls13 enable
set ssl profile tls13profile -tls13 disable

2. Set number of session tickets issued.

tls13SessionTicketsPerAuthContext: Number of tickets the SSL Virtual Server will issue anytime TLS1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake clientauth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled.

Default value: 1

Minimum value: 1

Maximum value: 10

set ssl profile tls13profile -tls13sessionTicketsPerAuthContext 1

set ssl profile tls13profile -tls13sessionTicketsPerAuthContext 10

3. Set DH key exchange

dheKeyExchangeWithPsk: Specifies whether an SSL virtual server requires a DHE key exchange to occur when a preshared key is accepted during a TLS 1.3 session resumption handshake. A DHE key exchange ensures forward secrecy, even if ticket keys are compromised, at the expense of additional resources required to carry out the DHE key exchange.

Available settings work as follows, if session ticket is enabled:

YES: DHE key exchange is required when a pre-shared key is accepted, regardless of whether the client supports the key exchange. If the client does not support DHE key exchange when offering a pre-shared key, the handshake is aborted with a fatal alert.

NO: DHE key exchange is performed when a pre-shared key is accepted, only if requested by the client.

Possible values: YES, NO

Default value: NO

set ssl profile tls13profile dheKeyExchangeWithPsk yes

set ssl profile tls13profile dheKeyExchangeWithPsk no

4. Enable or disable 0-RTT early data acceptance

zeroRttEarlyData: State of TLS 1.3 early application data. Applicable settings work as follows: ENABLED: Early application data might be processed before the handshake is complete. DISABLED: Early application data is ignored.

Possible values: ENABLED, DISABLED

Default value: DISABLED

set ssl profile tls13profile -zeroRttEarlyData ENABLED

set ssl profile tls13profile -zeroRttEarlyData DISABLED

Default cipher group

The default cipher group includes TLS1.3 ciphers.

sh cipher DEFAULT
1) Cipher Name: TLS1-AES-256-CBC-SHA    Priority : 1
    Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0x0035

2)  Cipher Name: TLS1-AES-128-CBC-SHA    Priority : 2
    Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0x002f
…
…
27) Cipher Name: TLS1.3-AES256-GCM-SHA384         Priority : 27
    Description: TLSv1.3 Kx=any      Au=any  Enc=AES-GCM(256) Mac=AEAD   HexCode=0x1302

28) Cipher Name: TLS1.3_CHACHA20_POLY1305_SHA256     Priority : 28
    Description: TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD   HexCode=0x1303

29) Cipher Name: TLS1.3-AES128_GCM-SHA256        Priority : 29
    Description: TLSv1.3 Kx=any      Au=any  Enc=AES-GCM(128) Mac=AEAD   HexCode=0x1301
Done

Limitations

  • On the Citrix ADC MPX platform, TLSv1.3 processing is not offloaded to crypto hardware.
  • TLSv1.3 is not supported on the back end.
  • TLSv1.3 is not supported on a Citrix Secure Web Gateway appliance and on a Citrix ADC FIPS appliance.
  • This release provides limited protection against early data replay attacks when the virtual server is configured to accept early data. You can enable or disable this feature at configuration time.

Operational considerations

TLS 1.3 draft version compatibility note: A Citrix ADC appliance implements the RFC 8446 variant of the TLS 1.3 protocol (as opposed to earlier draft versions of the protocol). You must use a TLS 1.3 client that supports RFC 8446 (or an interoperable draft # - 26, 27 or 28) to complete a TLS 1.3 handshake with a Citrix ADC appliance. In general, this is required because clients and servers that implement different draft versions of the TLS 1.3 protocol do not interoperate with each other.

Security restrictions

TLSv1.3 server operators should keep in mind the following security restrictions for backward compatibility outlined in RFC 8446 . The default configuration on a NetScaler appliance is compliant with these restrictions. However, a NetScaler appliance does not enforce that these rules are adhered to.

  • The security of RC4 cipher suites is considered insufficient as described in RFC7465. Implementations must not offer or negotiate RC4 cipher suites for any version of TLS.

  • Old versions of TLS allowed the use of very low strength ciphers. Ciphers with a strength less than 112 bits must not be offered or negotiated for any version of TLS.

  • The security of SSL 3.0 [SSLv3] is considered insufficient as described in RFC7568, and must not be negotiated. Disable SSLv3 when TLSv1.3 is enabled (SSLv3 is disabled by default.)

  • The security of SSL 2.0 [SSLv2] is considered insufficient as described in RFC6176, and must not be negotiated. Disable SSLv2 when TLS 1.3 is enabled (SSLv2 is disabled by default.)

  • Application data sent in 0-RTT early data is susceptible to replay attacks.

Note: For information about troubleshooting protocols that run over TLS1.3, see Decrypting TLS1.3 traffic from packet trace.

TLSv1.3 protocol support as defined in RFC 8446