Product Documentation

Configuring SSL Ciphers to Securely Access the Management Service

You can select SSL cipher suites from a list of SSL ciphers supported by Citrix ADC SDX appliances, and bind any combination of the SSL ciphers to access   the SDX Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.

Limitations

  • Binding ciphers with key exchange = “DH” or “ECC-DHE” is not supported.
  • Binding the ciphers with Authentication = “DSS” is not supported.
  • Binding ciphers that are not part of the supported SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.

Supported SSL Ciphers

The following table lists the supported SSL ciphers. | Citrix Cipher Name | Openssl CipherName | Hex Code | Protocol | KeyExchange | Auth | MAC | |————————————|—————————–|———–|———-|————-|——|————–| | TLS1-AES-256-CBC-SHA | AES256-SHA | 0x0035 | SSLv3 | RSA | RSA | AES(256) | | TLS1-AES-128-CBC-SHA | AES128-SHA | 0x002F | SSLv3 | RSA | RSA | AES(128) | | TLS1.2-AES-256-SHA256 | AES256-SHA256 | 0x003D | TLSv1.2 | RSA | RSA | AES(256) | | TLS1.2-AES-128-SHA256 | AES128-SHA256 | 0x003C | TLSv1.2 | RSA | RSA | AES(128) | | TLS1.2-AES256-GCM-SHA384 | AES256-GCM-SHA384 | 0x009D | TLSv1.2 | RSA | RSA | AES-GCM(256) | | TLS1.2-AES128-GCM-SHA256 | AES128-GCM-SHA256 | 0x009C | TLSv1.2 | RSA | RSA | AES-GCM(128) | | TLS1-ECDHE-RSA-AES256-SHA | ECDHE-RSA-AES256-SHA | 0xC014 | SSLv3 | ECC-DHE | RSA | AES(256) | | TLS1-ECDHE-RSA-AES128-SHA | ECDHE-RSA-AES128-SHA | 0xC013 | SSLv3 | ECC-DHE | RSA | AES(128) | | TLS1.2-ECDHE-RSA-AES-256-SHA384 | ECDHE-RSA-AES256-SHA384 | 0xC028 | TLSv1.2 | ECC-DHE | RSA | AES(256) | | TLS1.2-ECDHE-RSA-AES-128-SHA256 | ECDHE-RSA-AES128-SHA256 | 0xC027 | TLSv1.2 | ECC-DHE | RSA | AES(128) | | TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | 0xC030 | TLSv1.2 | ECC-DHE | RSA | AES-GCM(256) | | TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | 0xC02F | TLSv1.2 | ECC-DHE | RSA | AES-GCM(128) | | TLS1.2-DHE-RSA-AES-256-SHA256 | DHE-RSA-AES256-SHA256 | 0x006B | TLSv1.2 | DH | RSA | AES(256) | | TLS1.2-DHE-RSA-AES-128-SHA256 | DHE-RSA-AES128-SHA256 | 0x0067 | TLSv1.2 | DH | RSA | AES(128) | | TLS1.2-DHE-RSA-AES256-GCM-SHA384 | DHE-RSA-AES256-GCM-SHA384 | 0x009F | TLSv1.2 | DH | RSA | AES-GCM(256) | | TLS1.2-DHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES128-GCM-SHA256 | 0x009E | TLSv1.2 | DH | RSA | AES-GCM(128) | | TLS1-DHE-RSA-AES-256-CBC-SHA | DHE-RSA-AES256-SHA | 0x0039 | SSLv3 | DH | RSA | AES(256) | | TLS1-DHE-RSA-AES-128-CBC-SHA | DHE-RSA-AES128-SHA | 0x0033 | SSLv3 | DH | RSA | AES(128) | | TLS1-DHE-DSS-AES-256-CBC-SHA | DHE-DSS-AES256-SHA | 0x0038 | SSLv3 | DH | DSS | AES(256) | | TLS1-DHE-DSS-AES-128-CBC-SHA | DHE-DSS-AES128-SHA | 0x0032 | SSLv3 | DH | DSS | AES(128) | | TLS1-ECDHE-RSA-DES-CBC3-SHA | ECDHE-RSA-DES-CBC3-SHA | 0xC012 | SSLv3 | ECC-DHE | RSA | 3DES(168) | | SSL3-EDH-RSA-DES-CBC3-SHA | EDH-RSA-DES-CBC3-SHA | 0x0016 | SSLv3 | DH | RSA | 3DES(168) | | SSL3-EDH-DSS-DES-CBC3-SHA | EDH-DSS-DES-CBC3-SHA | 0x0013 | SSLv3 | DH | DSS | 3DES(168) | | TLS1-ECDHE-RSA-RC4-SHA | ECDHE-RSA-RC4-SHA | 0xC011 | SSLv3 | ECC-DHE | RSA | RC4(128) | | SSL3-DES-CBC3-SHA | DES-CBC3-SHA | 0x000A | SSLv3 | RSA | RSA | 3DES(168) | | SSL3-RC4-SHA | RC4-SHA | 0x0005 | SSLv3 | RSA | RSA | RC4(128) | | SSL3-RC4-MD5 | RC4-MD5 | 0x0004 | SSLv3 | RSA | RSA | RC4(128) | | SSL3-DES-CBC-SHA | DES-CBC-SHA | 0x0009 | SSLv3 | RSA | RSA | DES(56) | | SSL3-EXP-RC4-MD5 | EXP-RC4-MD5 | 0x0003 | SSLv3 | RSA(512) | RSA | RC4(40) | | SSL3-EXP-DES-CBC-SHA | EXP-DES-CBC-SHA | 0x0008 | SSLv3 | RSA(512) | RSA | DES(40) | | SSL3-EXP-RC2-CBC-MD5 | EXP-RC2-CBC-MD5 | 0x0006 | SSLv3 | RSA(512) | RSA | RC2(40) | | SSL2-DES-CBC-MD5 | DHE-DSS-AES128-SHA256 | 0x0040 | SSLv2 | RSA | RSA | DES(56) | | SSL3-EDH-DSS-DES-CBC-SHA | EDH-DSS-DES-CBC-SHA | 0x0012 | SSLv3 | DH | DSS | DES(56) | | SSL3-EXP-EDH-DSS-DES-CBC-SHA | EXP-EDH-DSS-DES-CBC-SHA | 0x0011 | SSLv3 | DH(512) | DSS | DES(40) | | SSL3-EDH-RSA-DES-CBC-SHA | EDH-RSA-DES-CBC-SHA | 0x0015 | SSLv3 | DH | RSA | DES(56) | | SSL3-EXP-EDH-RSA-DES-CBC-SHA | EXP-EDH-RSA-DES-CBC-SHA | 0x0014 | SSLv3 | DH(512) | RSA | DES(40) | | SSL3-ADH-RC4-MD5 | ADH-RC4-MD5 | 0x0018 | SSLv3 | DH | None | RC4(128) | | SSL3-ADH-DES-CBC3-SHA | ADH-DES-CBC3-SHA | 0x001B | SSLv3 | DH | None | 3DES(168) | | SSL3-ADH-DES-CBC-SHA | ADH-DES-CBC-SHA | 0x001A | SSLv3 | DH | None | DES(56) | | TLS1-ADH-AES-128-CBC-SHA | ADH-AES128-SHA | 0x0034 | SSLv3 | DH | None | AES(128) | | TLS1-ADH-AES-256-CBC-SHA | ADH-AES256-SHA | 0x003A | SSLv3 | DH | None | AES(256) | | SSL3-EXP-ADH-RC4-MD5 | EXP-ADH-RC4-MD5 | 0x0017 | SSLv3 | DH(512) | None | RC4(40) | | SSL3-EXP-ADH-DES-CBC-SHA | EXP-ADH-DES-CBC-SHA | 0x0019 | SSLv3 | DH(512) | None | DES(40) | | SSL3-NULL-MD5 | NULL-MD5 | 0x0001 | SSLv3 | RSA | RSA | None | | SSL3-NULL-SHA | NULL-SHA | 0x0002 | SSLv3 | RSA | RSA | None |

Predefined Cipher Groups

The following table lists the predefined cipher groups provided by the SDX appliance.

Cipher Group Name Description
ALL All ciphers supported by the SDX appliance, excluding NULL ciphers
DEFAULT Default cipher list with encryption strength >= 128bit
kRSA Ciphers with Key-ex algo as RSA
kEDH Ciphers with Key-ex algo as Ephemeral-DH
DH Ciphers with Key-ex algo as DH
EDH Ciphers with Key-ex/Auth algo as DH
aRSA Ciphers with Auth algo as RSA
aDSS Ciphers with Auth algo as DSS
aNULL Ciphers with Auth algo as NULL
DSS Ciphers with Auth algo as DSS
DES Ciphers with Enc algo as DES
3DES Ciphers with Enc algo as 3DES
RC4 Ciphers with Enc algo as RC4
RC2 Ciphers with Enc algo as RC2
NULL Ciphers with Enc algo as NULL
MD5 Ciphers with MAC algo as MD5
SHA1 Ciphers with MAC algo as SHA-1
SHA Ciphers with MAC algo as SHA
NULL Ciphers with Enc algo as NULL
RSA Ciphers with Key-ex/Auth algo as RSA
ADH Ciphers with Key-ex algo as DH and Auth algo as NULL
SSLv2 SSLv2 protocol ciphers
SSLv3 SSLv3 protocol ciphers
TLSv1 SSLv3/TLSv1 protocol ciphers
TLSv1_ONLY TLSv1 protocol ciphers
EXP Export ciphers
EXPORT Export ciphers
EXPORT40 Export ciphers with 40bit encryption
EXPORT56 Export ciphers with 56bit encryption
LOW Low strength ciphers (56bit encryption)
MEDIUM Medium strength ciphers (128bit encryption)
HIGH High strength ciphers (168bit encryption)
AES AES Ciphers
FIPS FIPS Approved Ciphers
ECDHE Elliptic Curve Ephemeral DH Ciphers
AES-GCM Ciphers with Enc algo as AES-GCM
SHA2 Ciphers with MAC algo as SHA-2

Viewing the Predefined Cipher Groups

To view the predefined cipher groups, on the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.

Creating Custom Cipher Groups

You can create custom cipher groups from the list of supported SSL ciphers.

To create custom cipher groups:

  1. On the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
  2. In the Cipher Groups pane, click Add.
  3. In the Create Cipher Group dialog box, perform the following:
    1. In the Group Name field, enter a name for the custom cipher group.
    2. In the Cipher Group Description field, enter a brief description of the custom cipher group.
    3. In the Cipher Suites section, click Add and select the ciphers to include in the list of supported SSL ciphers.
    4. Click Create.

Viewing Existing SSL Cipher Bindings

To view the existing cipher bindings, on the Configuration tab, in the navigation pane, expand System, and then click Change SSL Settings under System Settings.

Note

After you upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.

Binding Ciphers to the HTTPS Service

To bind ciphers to the HTTPS service:

  1. On the Configuration tab, in the navigation pane, click System.
  2. In the System pane, under System Settings, click Change SSL Settings.
  3. In the Edit Settings pane, click Ciphers Suites.
  4. In the Ciphers Suites pane, do either of the following:
    • To choose cipher groups from predefined cipher groups provided by SDX appliance, select the Cipher Groups check box, select the cipher group from the Cipher Groups drop-down list, and then click OK.
    • To choose from the list of supported ciphers, select the Cipher Suites check box, click Add to select the ciphers, and then click OK.