NetScaler SDX

Configuring SSL Ciphers to Securely Access the Management Service

You can select SSL cipher suites from a list of SSL ciphers supported by NetScaler SDX appliances, and bind any combination of the SSL ciphers to access   the SDX Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.

Limitations

  • Binding ciphers with key exchange = “DH” or “ECC-DHE” is not supported.
  • Binding the ciphers with Authentication = “DSS” is not supported.
  • Binding ciphers that are not part of the supported SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.

Supported SSL Ciphers

The following table lists the supported SSL ciphers.

Citrix Cipher Name Openssl CipherName Hex Code Protocol KeyExchange Auth MAC
TLS1-AES-256-CBC-SHA AES256-SHA 0x0035 SSLv3 RSA RSA AES(256)
TLS1-AES-128-CBC-SHA AES128-SHA 0x002F SSLv3 RSA RSA AES(128)
TLS1.2-AES-256-SHA256 AES256-SHA256 0x003D TLSv1.2 RSA RSA AES(256)
TLS1.2-AES-128-SHA256 AES128-SHA256 0x003C TLSv1.2 RSA RSA AES(128)
TLS1.2-AES256-GCM-SHA384 AES256-GCM-SHA384 0x009D TLSv1.2 RSA RSA AES-GCM(256)
TLS1.2-AES128-GCM-SHA256 AES128-GCM-SHA256 0x009C TLSv1.2 RSA RSA AES-GCM(128)
TLS1-ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA 0xC014 SSLv3 ECC-DHE RSA AES(256)
TLS1-ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA 0xC013 SSLv3 ECC-DHE RSA AES(128)
TLS1.2-ECDHE-RSA-AES-256-SHA384 ECDHE-RSA-AES256-SHA384 0xC028 TLSv1.2 ECC-DHE RSA AES(256)
TLS1.2-ECDHE-RSA-AES-128-SHA256 ECDHE-RSA-AES128-SHA256 0xC027 TLSv1.2 ECC-DHE RSA AES(128)
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 0xC030 TLSv1.2 ECC-DHE RSA AES-GCM(256)
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 0xC02F TLSv1.2 ECC-DHE RSA AES-GCM(128)
TLS1.2-DHE-RSA-AES-256-SHA256 DHE-RSA-AES256-SHA256 0x006B TLSv1.2 DH RSA AES(256)
TLS1.2-DHE-RSA-AES-128-SHA256 DHE-RSA-AES128-SHA256 0x0067 TLSv1.2 DH RSA AES(128)
TLS1.2-DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 0x009F TLSv1.2 DH RSA AES-GCM(256)
TLS1.2-DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 0x009E TLSv1.2 DH RSA AES-GCM(128)
TLS1-DHE-RSA-AES-256-CBC-SHA DHE-RSA-AES256-SHA 0x0039 SSLv3 DH RSA AES(256)
TLS1-DHE-RSA-AES-128-CBC-SHA DHE-RSA-AES128-SHA 0x0033 SSLv3 DH RSA AES(128)
TLS1-DHE-DSS-AES-256-CBC-SHA DHE-DSS-AES256-SHA 0x0038 SSLv3 DH DSS AES(256)
TLS1-DHE-DSS-AES-128-CBC-SHA DHE-DSS-AES128-SHA 0x0032 SSLv3 DH DSS AES(128)
TLS1-ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA 0xC012 SSLv3 ECC-DHE RSA 3DES(168)
SSL3-EDH-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA 0x0016 SSLv3 DH RSA 3DES(168)
SSL3-EDH-DSS-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA 0x0013 SSLv3 DH DSS 3DES(168)
TLS1-ECDHE-RSA-RC4-SHA ECDHE-RSA-RC4-SHA 0xC011 SSLv3 ECC-DHE RSA RC4(128)
SSL3-DES-CBC3-SHA DES-CBC3-SHA 0x000A SSLv3 RSA RSA 3DES(168)
SSL3-RC4-SHA RC4-SHA 0x0005 SSLv3 RSA RSA RC4(128)
SSL3-RC4-MD5 RC4-MD5 0x0004 SSLv3 RSA RSA RC4(128)
SSL3-DES-CBC-SHA DES-CBC-SHA 0x0009 SSLv3 RSA RSA DES(56)
SSL3-EXP-RC4-MD5 EXP-RC4-MD5 0x0003 SSLv3 RSA(512) RSA RC4(40)
SSL3-EXP-DES-CBC-SHA EXP-DES-CBC-SHA 0x0008 SSLv3 RSA(512) RSA DES(40)
SSL3-EXP-RC2-CBC-MD5 EXP-RC2-CBC-MD5 0x0006 SSLv3 RSA(512) RSA RC2(40)
SSL2-DES-CBC-MD5 DHE-DSS-AES128-SHA256 0x0040 SSLv2 RSA RSA DES(56)
SSL3-EDH-DSS-DES-CBC-SHA EDH-DSS-DES-CBC-SHA 0x0012 SSLv3 DH DSS DES(56)
SSL3-EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA 0x0011 SSLv3 DH(512) DSS DES(40)
SSL3-EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC-SHA 0x0015 SSLv3 DH RSA DES(56)
SSL3-EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA 0x0014 SSLv3 DH(512) RSA DES(40)
SSL3-ADH-RC4-MD5 ADH-RC4-MD5 0x0018 SSLv3 DH None RC4(128)
SSL3-ADH-DES-CBC3-SHA ADH-DES-CBC3-SHA 0x001B SSLv3 DH None 3DES(168)
SSL3-ADH-DES-CBC-SHA ADH-DES-CBC-SHA 0x001A SSLv3 DH None DES(56)
TLS1-ADH-AES-128-CBC-SHA ADH-AES128-SHA 0x0034 SSLv3 DH None AES(128)
TLS1-ADH-AES-256-CBC-SHA ADH-AES256-SHA 0x003A SSLv3 DH None AES(256)
SSL3-EXP-ADH-RC4-MD5 EXP-ADH-RC4-MD5 0x0017 SSLv3 DH(512) None RC4(40)
SSL3-EXP-ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA 0x0019 SSLv3 DH(512) None DES(40)
SSL3-NULL-MD5 NULL-MD5 0x0001 SSLv3 RSA RSA None
SSL3-NULL-SHA NULL-SHA 0x0002 SSLv3 RSA RSA None

Predefined Cipher Groups

The following table lists the predefined cipher groups provided by the SDX appliance.

Cipher Group Name Description
ALL All ciphers supported by the SDX appliance, excluding NULL ciphers
DEFAULT Default cipher list with encryption strength >= 128bit
kRSA Ciphers with Key-ex algo as RSA
kEDH Ciphers with Key-ex algo as Ephemeral-DH
DH Ciphers with Key-ex algo as DH
EDH Ciphers with Key-ex/Auth algo as DH
aRSA Ciphers with Auth algo as RSA
aDSS Ciphers with Auth algo as DSS
aNULL Ciphers with Auth algo as NULL
DSS Ciphers with Auth algo as DSS
DES Ciphers with Enc algo as DES
3DES Ciphers with Enc algo as 3DES
RC4 Ciphers with Enc algo as RC4
RC2 Ciphers with Enc algo as RC2
NULL Ciphers with Enc algo as NULL
MD5 Ciphers with MAC algo as MD5
SHA1 Ciphers with MAC algo as SHA-1
SHA Ciphers with MAC algo as SHA
NULL Ciphers with Enc algo as NULL
RSA Ciphers with Key-ex/Auth algo as RSA
ADH Ciphers with Key-ex algo as DH and Auth algo as NULL
SSLv2 SSLv2 protocol ciphers
SSLv3 SSLv3 protocol ciphers
TLSv1 SSLv3/TLSv1 protocol ciphers
TLSv1_ONLY TLSv1 protocol ciphers
EXP Export ciphers
EXPORT Export ciphers
EXPORT40 Export ciphers with 40bit encryption
EXPORT56 Export ciphers with 56bit encryption
LOW Low strength ciphers (56bit encryption)
MEDIUM Medium strength ciphers (128bit encryption)
HIGH High strength ciphers (168bit encryption)
AES AES Ciphers
FIPS FIPS Approved Ciphers
ECDHE Elliptic Curve Ephemeral DH Ciphers
AES-GCM Ciphers with Enc algo as AES-GCM
SHA2 Ciphers with MAC algo as SHA-2

Viewing the Predefined Cipher Groups

To view the predefined cipher groups, on the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.

Creating Custom Cipher Groups

You can create custom cipher groups from the list of supported SSL ciphers.

To create custom cipher groups:

  1. On the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
  2. In the Cipher Groups pane, click Add.
  3. In the Create Cipher Group dialog box, perform the following:
    1. In the Group Name field, enter a name for the custom cipher group.
    2. In the Cipher Group Description field, enter a brief description of the custom cipher group.
    3. In the Cipher Suites section, click Add and select the ciphers to include in the list of supported SSL ciphers.
    4. Click Create.

Viewing Existing SSL Cipher Bindings

To view the existing cipher bindings, on the Configuration tab, in the navigation pane, expand System, and then click Configure SSL Settings under System Settings.

Configure-ssl-settings

Note

After you upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.

Binding Ciphers to the HTTPS Service

To bind ciphers to the HTTPS service:

  1. On the Configuration tab, in the navigation pane, click System.
  2. In the System pane, under System Settings, click Configure SSL Settings.
  3. In the Edit Settings pane, click Ciphers Suites.
  4. In the Ciphers Suites pane, do either of the following:
    • To choose cipher groups from predefined cipher groups provided by SDX appliance, select the Cipher Groups check box, select the cipher group from the Cipher Groups drop-down list, and then click OK.
    • To choose from the list of supported ciphers, select the Cipher Suites check box, click Add to select the ciphers, and then click OK.
Configuring SSL Ciphers to Securely Access the Management Service