Product Documentation

Cipher/Protocol Support Matrix on the NetScaler Appliance

Dec 21, 2017

From release 10.5 build 56.22, NetScaler MPX appliances support full hardware optimization for all ciphers. In earlier releases, part of ECDHE/DHE cipher optimization was done in software.

Note: Hardware optimization is not supported for ciphers that are specific to the NetScaler VPX appliance. On the SDX platform, if you do not assign an SSL chip to an instance, optimization is done by software.

The following tables list the support for different ciphers on SSL entities, such as virtual server, front-end, back-end, and internal services. Use the 'show hardware' command to identify whether your appliance has N3 chips.

On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies.From release 10.5 build 56.22, NetScaler MPX appliances support full hardware optimization for all ciphers. In earlier releases, part of ECDHE/DHE cipher optimization was done in software.

Example Copy

> sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

Manufactured on: 8/19/2013

CPU: 2900MHZ

Host Id: 1006665862

Serial no: ENUK6298FT

Encoded serial no: ENUK6298FT

Done

Note

  1. TLS-Fallback_SCSV cipher suite is supported on all appliances from release 10.5 build 57.x
  2. HTTP Strict Transport Security (HSTS) support is policy-based.
  3. All SHA-2 signed-certificates (SHA256, SHA384, SHA512) are supported on the front end of all appliances. In release 11.1 build 54.x and later, these certificates are also supported on the back-end of all appliances. In release 11.0 and earlier, only SHA256 signed-certificates are supported on the back end of all appliances.
  4. In release 11.1 build 52.x and earlier, the following ciphers are supported only on the frontend of the MPX 9700 and MPX/SDX 14000 FIPS appliances:
    • TLS1.2-ECDHE-RSA-AES-256-SHA384
    • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
      From release 11.1 build 53.x, and in release 12.0, these ciphers are also supported on the back end.
  5. All ChaCha20-Poly1035 ciphers use a TLS pseudo random function (PSF) with the SHA-256 hash function.

Table1: Support on Virtual Server/Frontend Service/Internal Service

 

MPX/SDX (N2)

MPX/SDX (N3)

VPX

MPX 9700* FIPS with firmware 2.2

MPX/SDX 14000** FIPS

MPX 5900/8900

TLS 1.1/1.2

12.0 all builds

11.1 all builds

11.0 all builds

10.5 all builds 

12.0 all builds

11.1 all builds

11.0 all builds

10.5 all builds

12.0 all builds

11.1 all builds

11.0 all builds

10.5-57.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5 58.1108.e

12.0 all builds

11.1 all builds

11.0 all builds

10.5-59.1359.e

10.5-63.47

10.5-67.x and later

11.0-70.114

11.1-54.126

11.1-56.x and later

ECDHE/DHE

(Example TLS1-ECDHE-RSA-AES128-SHA)

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

10.1-124.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5 all builds

12.0 all builds

11.1 all builds

10.5-59.1306.e

12.0 all builds

11.1-51.x

10.5-63.47

10.5-67.x and later

11.0-70.114

11.1-54.126

11.1-56.x and later

AES-GCM

(Example TLS1.2-AES128-GCM-SHA256)

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

12.0 all builds

11.1 all builds

11.0-66.x 

12.0 all builds

11.1-51.x
See note

12.0 all builds

11.1-51.x

See note

10.5-63.47

10.5-67.x and later

11.0-70.114

11.1-54.126

11.1-56.x and later

SHA-2 Ciphers

(Example TLS1.2-AES-128-SHA256)

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5-53.x

12.0 all builds

11.1 all builds

11.0-66.x 

12.0 all buids

11.1-52.x

12.0 all builds

11.1-52.x

10.5-63.47

10.5-67.x and later

11.0-70.114

11.1-54.126

11.1-56.x and later

 

 

ECDSA*** 

(Example TLS1-ECDHE-ECDSA-AES256-SHA)

 Not supported

12.0 all builds

11.1 all builds

 Not supported

 Not applicable

Not supported

11.1-54.126

11.1-56.x and later

Note: Only ECC curves P_256 and P_384 are supported.

CHACHA20 Not supported
Not supported
12.0-56.x and later Not supported
Not supported
Not supported


Table 2: Support on Backend Services

 

MPX/SDX (N2)

MPX/SDX (N3)

VPX

MPX 9700* FIPS with firmware 2.2

MPX 14000** FIPS

MPX 5900/8900

TLS 1.1/1.2

12.0 all builds

11.1 all builds

11.0-50.x

10.5-59.x

12.0 all builds

11.1 all builds

11.0-50/x

10.5-59.x 

12.0 all builds

11.1 all builds

11.0-66.x

12.0 all builds

11.1 all builds

11.0 all builds

10.5 58.1108.e

12.0 all builds

11.1 all builds

10.5-59.1359.e

10.5-63.47

10.5-67.x and later

11.0-70.119

11.1-54.126

11.1-56.x and later

ECDHE/DHE

(Example TLS1-ECDHE-RSA-AES128-SHA)

12.0 all builds

11.1 all builds

11.0-50.x

10.5-58.x

12.0 all builds

11.1 all builds

11.0-50.x

10.5-58.x

12.0-56.x 

12.0 all builds

11.1 all builds

10.5 59.1306.e

12.0 all builds

11.1-51.x

10.5-63.47

10.5-67.x and later

11.0-70.119

11.1-54.126

11.1-56.x and later

AES-GCM

(Example TLS1.2-AES128-GCM-SHA256)

12.0 all builds

11.1 all builds

12.0 all builds

11.1 all builds

Not supported

12.0 all builds

11.1-51.x

See note

12.0 all builds

11.1-51.x

See note

11.1-54.126

11.1-56.x and later

SHA-2

(Example TLS1.2-AES-128-SHA256)

12.0 all builds

11.1 all builds

12.0 all builds

11.1 all builds

Not supported

12.0 all builds

11.1-52.x

12.0 all builds

11.1-52.x

11.1-54.126

11.1-56.x and later

ECDSA***

(Example TLS1-ECDHE-ECDSA-AES256-SHA)

Not supported

12.0 all builds

11.1-51.x

Not supported

Not applicable

Not supported

11.1-54.126

11.1-56.x and later

Note: Only ECC curves P_256 and P_384 are supported.

CHACHA20 Not supported
Not supported
12.0-56.x and later Not supported
Not supported
Not supported

* MPX 9700/10500/12500/15500

** MPX/SDX 14030/14060/14080

*** For the detailed list of ECDSA ciphers supported, see ECDSA Cipher Suites support on MPX and SDX appliances with N3 chips.