Configure user-defined cipher groups on the ADC appliance

A cipher group is a set of cipher suites that you bind to an SSL virtual server, service, or service group on the NetScaler appliance. A cipher suite comprises a protocol, a key exchange (Kx) algorithm, an authentication (Au) algorithm, an encryption (Enc) algorithm, and a message authentication code (Mac) algorithm. Your appliance ships with a predefined set of cipher groups. When you create a SSL service or SSL service group, the ALL cipher group is automatically bound to it. However, when you create an SSL virtual server or a transparent SSL service, the DEFAULT cipher group is automatically bound to it. In addition, you can create a user-defined cipher group and bind it to an SSL virtual server, service, or service group.

Note: If your MPX appliance does not have any licenses, then only the EXPORT cipher is bound to your SSL virtual server, service, or service group.

To create a user-defined cipher group, first you create a cipher group and then you bind ciphers or cipher groups to this group. If you specify a cipher alias or a cipher group, all the ciphers in the cipher alias or group are added to the user-defined cipher group. You can also add individual ciphers (cipher suites) to a user-defined group. However, you cannot modify a predefined cipher group. Before removing a cipher group, unbind all the cipher suites in the group.

If you bind a cipher group to an SSL virtual server, service, or service group, the ciphers are appended to the existing ciphers that are bound to the entity. To bind a specific cipher group to the entity, you must first unbind the ciphers or cipher group that is bound to the entity and then bind the specific cipher group. For example, to bind only the AES cipher group to an SSL service, you perform the following steps:

  1. Unbind the default cipher group ALL that is bound by default to the service when the service is created.

    unbind ssl service <service name> -cipherName ALL
    
  2. Bind the AES cipher group to the service

    bind ssl service <Service name> -cipherName AE
    

If you want to bind the cipher group DES in addition to AES, at the command prompt, type:

bind ssl service <service name> -cipherName DES

Note: The free NetScaler virtual appliance supports only the DH cipher group.

Configure a user-defined cipher group by using the CLI

At the command prompt, type the following commands to add a cipher group, or to add ciphers to a previously created group, and verify the settings:

add ssl cipher <cipherGroupName>
bind ssl cipher <cipherGroupName> -cipherName <string>
show ssl cipher <cipherGroupName>

Example:

add ssl cipher test

Done

bind ssl cipher test -cipherName ECDHE

Done

sh ssl cipher test

1)      Cipher Name: TLS1-ECDHE-RSA-AES256-SHA  Priority : 1

Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0xc014

2)      Cipher Name: TLS1-ECDHE-RSA-AES128-SHA  Priority : 2

Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0xc013

3)      Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384    Priority : 3

Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA-384   HexCode=0xc028

4)      Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256    Priority : 4

Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA-256   HexCode=0xc027

5)      Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 5

Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc030

6)      Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 6

Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02f

7)      Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA        Priority : 7

Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA1   HexCode=0xc00a

8)      Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA        Priority : 8

Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA1   HexCode=0xc009

9)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384   Priority : 9

Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA-384   HexCode=0xc024

10)     Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256   Priority : 10

Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA-256   HexCode=0xc023

11)     Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384       Priority : 11

Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc02c

12)     Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256       Priority : 12

Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02b

13)     Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA        Priority : 13

Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=3DES(168) Mac=SHA1   HexCode=0xc012

14)     Cipher Name: TLS1-ECDHE-ECDSA-DES-CBC3-SHA      Priority : 14

Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=3DES(168) Mac=SHA1   HexCode=0xc008

15)     Cipher Name: TLS1-ECDHE-RSA-RC4-SHA     Priority : 15

Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=RC4(128)  Mac=SHA1   HexCode=0xc011

16)     Cipher Name: TLS1-ECDHE-ECDSA-RC4-SHA   Priority : 16

Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=RC4(128)  Mac=SHA1   HexCode=0xc007

17)     Cipher Name: TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 Priority : 17

Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD   HexCode=0xcca8

18)     Cipher Name: TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305       Priority : 18

Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD   HexCode=0xcca9

Done

Unbind ciphers from a cipher group by using the CLI

At the command prompt, type the following commands to unbind ciphers from a user-defined cipher group, and verify the settings:

show ssl cipher <cipherGroupName>
unbind ssl cipher <cipherGroupName> -cipherName <string>
show ssl cipher <cipherGroupName>

Remove a cipher group by using the CLI

Note: You cannot remove a built-in cipher group. Before removing a user-defined cipher group, make sure that the cipher group is empty.

At the command prompt, type the following commands to remove a user-defined cipher group, and verify the configuration:

rm ssl cipher <userDefCipherGroupName> [<cipherName> ...]
show ssl cipher <cipherGroupName>

Example:

rm ssl cipher test Done

sh ssl cipher test ERROR: No such resource [cipherGroupName, test]

Configure a user-defined cipher group by using the GUI

Navigate to Traffic Management > SSL > Cipher Groups, and configure a cipher group.

To bind a cipher group to an SSL virtual server, service, or service group by using the CLI:

At the command prompt, type one of the following:

bind ssl vserver <vServerName> -cipherName <string>
bind ssl service <serviceName> -cipherName <string>
bind ssl serviceGroup <serviceGroupName> -cipherName <string>

Example:

bind ssl vserver ssl_vserver_test -cipherName test

Done

bind ssl service  nshttps -cipherName test

Done

bind ssl servicegroup  ssl_svc  -cipherName test

Done

To bind a cipher group to an SSL virtual server, service, or service group by using the GUI:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers or navigate to Traffic Management > Load Balancing > Services or navigate to Traffic Management > Load Balancing > Service Groups, and open the virtual server, service, or service group.
  2. In Advanced Settings, select SSL Ciphers, and bind a cipher group to the virtual server, service, or service group.