ECDHE ciphers

All NetScaler appliances support the ECDHE cipher group on the front end and the back end. On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies.

For more information about the builds and platforms that support these ciphers, see Ciphers available on the NetScaler appliances.

ECDHE cipher suites use elliptical curve cryptography (ECC). Because of its smaller key size, ECC is especially useful in a mobile (wireless) environment or an interactive voice response environment, where every millisecond is important. Smaller key sizes save power, memory, bandwidth, and computational cost.

A NetScaler appliance supports the following ECC curves:

  • P_256
  • P_384
  • P_224
  • P_521

Note: If you upgrade from a build earlier than release 10.1 build 121.10, you must explicitly bind ECC curves to your existing SSL virtual servers or front end services. The curves are bound by default to any virtual servers or front end services that you create after the upgrade.

You can bind an ECC curve to SSL front-end entities only. By default all four curves are bound, in the following order: P_256, P_384,P_224,P_521. To change the order, you must first unbind all the curves, and then bind them in the desired order.

Unbind and bind ECC curves to an SSL virtual server by using the CLI

At the command prompt, type:

unbind ssl vserver \<vServerName\> -eccCurveName ALL  

bind ssl vserver \<vServerName\> -eccCurveName \<eccCurveName\>

Example:

unbind ssl vs v1 –eccCurvename ALL

bind ssl vserver  v1 -eccCurveName P_224

sh ssl vserver v1

Advanced SSL configuration for VServer v1:

DH: DISABLED

Ephemeral RSA: ENABLED Refresh Count: 0

Session Reuse: ENABLED Timeout: 120 seconds

Cipher Redirect: DISABLED

SSLv2 Redirect: DISABLED

ClearText Port: 0

Client Auth: DISABLED

SSL Redirect: DISABLED

Non FIPS Ciphers: DISABLED

SNI: DISABLED

SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

Push Encryption Trigger: Always

Send Close-Notify: YES

ECC Curve: P_224


1) Cipher Name: DEFAULT

Description: Predefined Cipher Alias

Done

ECDHE ciphers