Product Documentation

Configuring SSL Ciphers to Securely Access the Management Service

Jan 04, 2016

You can select SSL cipher suites from a list of SSL ciphers supported by SDX appliances, and bind any combination of the SSL ciphers to access   the Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.

Limitations

  • Binding ciphers with key exchange = "DH" or "ECC-DHE" is not supported.
  • Binding the ciphers with Authentication = “DSS” is not supported.
  • Binding ciphers that are not part of the supported SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.

Supported SSL Ciphers

The following table lists the supported SSL ciphers.

Citrix Cipher Name

Openssl CipherName

Hex Code 

Protocol

Key
Exchange

Auth

MAC

TLS1-AES-256-CBC-SHA

AES256-SHA

0x0035

SSLv3

RSA

RSA

AES(256)

TLS1-AES-128-CBC-SHA

AES128-SHA

0x002F

SSLv3

RSA

RSA

AES(128)

TLS1.2-AES-256-SHA256

AES256-SHA256

0x003D

TLSv1.2

RSA

RSA

AES(256)

TLS1.2-AES-128-SHA256

AES128-SHA256

0x003C

TLSv1.2

RSA

RSA

AES(128)

TLS1.2-AES256-GCM-SHA384

AES256-GCM-SHA384

0x009D

TLSv1.2

RSA

RSA

AES-GCM(256)

TLS1.2-AES128-GCM-SHA256

AES128-GCM-SHA256

0x009C

TLSv1.2

RSA

RSA

AES-GCM(128)

TLS1-ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-SHA

0xC014

SSLv3

ECC-DHE

RSA

AES(256)

TLS1-ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-SHA

0xC013

SSLv3

ECC-DHE

RSA

AES(128)

TLS1.2-ECDHE-RSA-AES-256-SHA384

ECDHE-RSA-AES256-SHA384

0xC028

TLSv1.2

ECC-DHE

RSA

AES(256)

TLS1.2-ECDHE-RSA-AES-128-SHA256

ECDHE-RSA-AES128-SHA256

0xC027

TLSv1.2

ECC-DHE

RSA

AES(128)

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

0xC030

TLSv1.2

ECC-DHE

RSA

AES-GCM(256)

TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

0xC02F

TLSv1.2

ECC-DHE

RSA

AES-GCM(128)

TLS1.2-DHE-RSA-AES-256-SHA256

DHE-RSA-AES256-SHA256

0x006B

TLSv1.2

DH

RSA

AES(256)

TLS1.2-DHE-RSA-AES-128-SHA256

DHE-RSA-AES128-SHA256

0x0067

TLSv1.2

DH

RSA

AES(128)

TLS1.2-DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

0x009F

TLSv1.2

DH

RSA

AES-GCM(256)

TLS1.2-DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

0x009E

TLSv1.2

DH

RSA

AES-GCM(128)

TLS1-DHE-RSA-AES-256-CBC-SHA

DHE-RSA-AES256-SHA

0x0039

SSLv3

DH

RSA

AES(256)

TLS1-DHE-RSA-AES-128-CBC-SHA

DHE-RSA-AES128-SHA

0x0033

SSLv3

DH

RSA

AES(128)

TLS1-DHE-DSS-AES-256-CBC-SHA

DHE-DSS-AES256-SHA

0x0038

SSLv3

DH

DSS

AES(256)

TLS1-DHE-DSS-AES-128-CBC-SHA

DHE-DSS-AES128-SHA

0x0032

SSLv3

DH

DSS

AES(128)

TLS1-ECDHE-RSA-DES-CBC3-SHA

ECDHE-RSA-DES-CBC3-SHA

0xC012

SSLv3

ECC-DHE

RSA

3DES(168)

SSL3-EDH-RSA-DES-CBC3-SHA

EDH-RSA-DES-CBC3-SHA

0x0016

SSLv3

DH

RSA

3DES(168)

SSL3-EDH-DSS-DES-CBC3-SHA

EDH-DSS-DES-CBC3-SHA

0x0013

SSLv3

DH

DSS

3DES(168)

TLS1-ECDHE-RSA-RC4-SHA

ECDHE-RSA-RC4-SHA

0xC011

SSLv3

ECC-DHE

RSA

RC4(128)

SSL3-DES-CBC3-SHA

DES-CBC3-SHA

0x000A

SSLv3

RSA

RSA

3DES(168)

SSL3-RC4-SHA

RC4-SHA

0x0005

SSLv3

RSA

RSA

RC4(128)

SSL3-RC4-MD5

RC4-MD5

0x0004

SSLv3

RSA

RSA

RC4(128)

SSL3-DES-CBC-SHA

DES-CBC-SHA

0x0009

SSLv3

RSA

RSA

DES(56)

SSL3-EXP-RC4-MD5

EXP-RC4-MD5

0x0003

SSLv3

RSA(512)

RSA

RC4(40)

SSL3-EXP-DES-CBC-SHA

EXP-DES-CBC-SHA

0x0008

SSLv3

RSA(512)

RSA

DES(40)

SSL3-EXP-RC2-CBC-MD5

EXP-RC2-CBC-MD5

0x0006

SSLv3

RSA(512)

RSA

RC2(40)

SSL2-DES-CBC-MD5

DHE-DSS-AES128-SHA256

0x0040

SSLv2

RSA

RSA

DES(56)

SSL3-EDH-DSS-DES-CBC-SHA

EDH-DSS-DES-CBC-SHA

0x0012

SSLv3

DH

DSS

DES(56)

SSL3-EXP-EDH-DSS-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

0x0011

SSLv3

DH(512)

DSS

DES(40)

SSL3-EDH-RSA-DES-CBC-SHA

EDH-RSA-DES-CBC-SHA

0x0015

SSLv3

DH

RSA

DES(56)

SSL3-EXP-EDH-RSA-DES-CBC-SHA

EXP-EDH-RSA-DES-CBC-SHA

0x0014

SSLv3

DH(512)

RSA

DES(40)

SSL3-ADH-RC4-MD5

ADH-RC4-MD5

0x0018

SSLv3

DH

None

RC4(128)

SSL3-ADH-DES-CBC3-SHA

ADH-DES-CBC3-SHA

0x001B

SSLv3

DH

None

3DES(168)

SSL3-ADH-DES-CBC-SHA

ADH-DES-CBC-SHA

0x001A

SSLv3

DH

None

DES(56)

TLS1-ADH-AES-128-CBC-SHA

ADH-AES128-SHA

0x0034

SSLv3

DH

None

AES(128)

TLS1-ADH-AES-256-CBC-SHA

ADH-AES256-SHA

0x003A

SSLv3

DH

None

AES(256)

SSL3-EXP-ADH-RC4-MD5

EXP-ADH-RC4-MD5

0x0017

SSLv3

DH(512)

None

RC4(40)

SSL3-EXP-ADH-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

0x0019

SSLv3

DH(512)

None

DES(40)

SSL3-NULL-MD5

NULL-MD5

0x0001

SSLv3

RSA

RSA

None

SSL3-NULL-SHA

NULL-SHA

0x0002

SSLv3

RSA

RSA

None

Predefined Cipher Groups

The following table lists the predefined cipher groups provided by the SDX appliance.

Cipher Group Name Description

ALL

All ciphers supported by NetScaler excluding NULL ciphers

DEFAULT

Default cipher list with encryption strength >= 128bit

kRSA

Ciphers with Key-ex algo as RSA

kEDH

Ciphers with Key-ex algo as Ephemeral-DH

DH

Ciphers with Key-ex algo as DH

EDH

Ciphers with Key-ex/Auth algo as DH

aRSA

Ciphers with Auth algo as RSA

aDSS

Ciphers with Auth algo as DSS

aNULL

Ciphers with Auth algo as NULL

DSS

Ciphers with Auth algo as DSS

DES

Ciphers with Enc algo as DES

3DES

Ciphers with Enc algo as 3DES

RC4

Ciphers with Enc algo as RC4

RC2

Ciphers with Enc algo as RC2

eNULL

Ciphers with Enc algo as NULL

MD5

Ciphers with MAC algo as MD5

SHA1

Ciphers with MAC algo as SHA-1

SHA

Ciphers with MAC algo as SHA

NULL

Ciphers with Enc algo as NULL

RSA

Ciphers with Key-ex/Auth algo as RSA

ADH

Ciphers with Key-ex algo as DH and Auth algo as NULL

SSLv2

SSLv2 protocol ciphers 

SSLv3

SSLv3 protocol ciphers 

TLSv1

SSLv3/TLSv1 protocol ciphers 

TLSv1_ONLY

TLSv1 protocol ciphers 

EXP

Export ciphers

EXPORT

Export ciphers

EXPORT40

Export ciphers with 40bit encryption

EXPORT56

Export ciphers with 56bit encryption

LOW

Low strength ciphers (56bit encryption)

MEDIUM

Medium strength ciphers (128bit encryption)

HIGH

High strength ciphers (168bit encryption)

AES

AES Ciphers

FIPS

FIPS Approved Ciphers

ECDHE

Elliptic Curve Ephemeral DH Ciphers

AES-GCM

Ciphers with Enc algo as AES-GCM

SHA2

Ciphers with MAC algo as SHA-2

Viewing the Predefined Cipher Groups

To view the predefined cipher groups, on the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.

Creating Custom Cipher Groups

You can create custom cipher groups from the list of supported SSL ciphers. 

To create custom cipher groups:

  1. On the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
  2. In the Cipher Groups pane, click Add.
  3. In the Create Cipher Group dialog box, perform the following:
    1. In the Group Name field, enter a name for the custom cipher group.
    2. In the Cipher Group Description field, enter a brief description of the custom cipher group.
    3. In the Cipher Suites section, click Add and select the ciphers to include in the list of supported SSL ciphers.
    4. Click Create.

Viewing Existing SSL Cipher Bindings

To view the existing cipher bindings, on the Configuration tab, in the navigation pane, expand System, and then click Change SSL Settings under System Settings

Note

After you upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.

Binding Ciphers to the HTTPS Service

To bind ciphers to the HTTPS service:

  1. On the Configuration tab, in the navigation pane, click System.
  2. In the System pane, under System Settings, click Change SSL Settings.
  3. In the Edit Settings pane, click Ciphers Suites.
  4. In the Ciphers Suites pane, do either of the following:
    • To choose cipher groups from predefined cipher groups provided by SDX appliance, select the Cipher Groups check box, select the cipher group from the Cipher Groups drop-down list, and then click OK.
    • To choose from the list of supported ciphers, select the Cipher Suites check box, click Add to select the ciphers, and then click OK.