Tech Paper: Networking SSL / TLS Best Practices

Overview

This Tech Paper aims to convey what someone skilled in ADC would configure as a generic implementation to receive an A+ grade at Qualys SSL Labs.

Qualys SSL Labs performs a robust series of tests and provides a scorecard that you can use to improve your configuration. The scan is free and only takes about a minute to complete.

Qualys actively develops SSL Labs. Tests are likely to change as new protocols are created and vulnerabilities found. It is good practice to test sites regularly to make sure that any new vulnerabilities are not exposed.

Note: Talk to your security team about your deployment. Security experts say SSL Labs A+ is a good general target, but it may not fit the needs of your organization.

Configuration Items that Need to be Validated

  • Certificates - Is the full chain provided and trusted? Is the signature algorithm secure?
  • Protocols, Keys and Cipher Support - Which SSL and TLS protocol versions are supported? Which cipher suites are preferred and in what order? Do the provided cipher suites support forward secrecy?
  • TLS Handshake Simulation - Determines which protocol and cipher are negotiated by several different clients and browsers
  • Protocol Details - Is Secure Renegotiation supported? Is strict transport security (HSTS) supported?
  • Known Vulnerabilities - Is the server vulnerable to attacks such as POODLE, BEAST, or TLS downgrade?

Once SSL Labs completes testing, it presents a letter grade along with a point scale for each of 4 categories:

1 Certificate
2 Protocol Support
3 Key Exchange
4 Cipher Strength

Each of the categories receives a numerical score that SSL Labs then averages into a total. Some special cases and configurations that SSL Labs recommends against, such as having SSLv3 enabled, can limit your final grade. You can find complete documentation on how SSL Labs grades servers here.

Implementation Concerns

SSL Profiles

This article uses SSL Profiles. When first enabled, SSL Profiles sets all SSL virtual servers to use the default profile.

SSL profiles take precedence over global and per virtual server SSL parameters.

Client support

Some of the configuration steps in this article can cause connectivity issues with old clients and browsers. For example, Internet Explorer 11 on Windows 7 and 8.1 only supports older cipher suites and, other older browsers may lack support for TLS1.2 and ECC ciphers entirely. In cases where support is missing, the client can experience error messages and an inability to display the site.

SSL Labs have a “Test your browser” button on its front page to help determine your needs.

Citrix Receiver/Workspace app Cipher Support for Gateway deployments

Review the following articles regarding client cipher support when deploying a gateway virtual server for virtual apps and desktops:

Note: See the Firmware Notes section for required builds and other notes regarding specific ADC firmware

Basic Steps - GUI

Take the following steps to ensure a high score on the SSL Labs test.

  • Ensure that the ADC is running a recent firmware release - 13.0 build 71 or later is recommended to take advantage of TLS1.3 hardware acceleration

  • Ensure that the certificate chain is complete and trusted

    • Root CAs do not always directly sign certificates. Instead, a root CA often uses an intermediary to sign a certificate
    • Install the intermediate certificate on the ADC. Link it to the server certificate you bound to the virtual server
    • Intermediate certificates are provided by the vendor that provides the server certificate, often in a ‘certificate bundle’. They can usually be found on the vendor’s public site
    • You may need to install and link multiple intermediate certificates. For the server certificate to function, the ADC must send a complete chain. A complete chain ends with a certificate signed by one of the client’s trusted root CAs
    • As the client already has the trusted root CA, you don’t need to install and link it on the ADC
    • To install an intermediate certificate, go to: Traffic Management > SSL > Certificates > CA Certificates and choose Install (Note: earlier builds of Citrix ADC do not have the ‘CA Certificates’ option in the GUI)
    • Link an intermediate by selecting the certificate and choosing link from the action menu
    • If the correct intermediate certificate is installed, it is automatically populated in the linking menu

CA-Certificate-Install

Certificate-Link

Certificate-Linked

  • Create a custom cipher group that provides Forward Secrecy (FS)
    • Go to Traffic Management > SSL > Cipher Groups and choose Add
    • Name the cipher group “SSL_Labs_Cipher_Group_Q4_2021”
    • Click Add then expand the ALL section - select the following cipher suites:
      • TLS1.3-AES256-GCM-SHA384
      • TLS1.3-AES128-GCM-SHA256
      • TLS1.3-CHACHA20-POLY1305-SHA256
      • TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
      • TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
      • TLS1.2-ECDHE-ECDSA-AES256-SHA384
      • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    • Click the > right arrow to move the ciphers from the Available column to the Configured column
    • Click Create

Create-Group

  • Enable SSL Profiles

Navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down, and select Enable Default Profile.

Enable_Default_Profile

SSL Profiles sets all SSL virtual servers to use the default profile when first enabled. As existing per virtual server SSL settings are removed, the ADC will prompt you to confirm.

Confirm_Default_Profile

  • Create an SSL Profile
    • Navigate to System > Profiles > SSL Profile, and select Add
      SSL_Profile
    • Name the profile “SSL_Labs_Profile_Q4_2021”
    • Scroll to Deny SSL Renegotiation and select NONSECURE to allow only clients that support RFC 5746 to renegotiate
    • Scroll to HSTS, tick HSTS, and specify a Max Age of 157680000 seconds
    • Scroll to Protocol and select only TLSv12 and TLSv13 SSL_Profile_Protocols
    • Scroll to the end of the form and select OK
    • Scroll to SSL Ciphers, select the pencil icon to edit, then click Remove All
    • Click Add and add the cipher group we created earlier SSL_Profile_Cipher_List
    • Scroll to the end of the form and select Done
  • Bind the SSL Profile to the SSL virtual server
    • On the selected virtual server, select the pencil icon to edit the bound SSL Profile
    • Select the SSL Profile we created from the drop-down list
    • Click OK

Basic Steps - CLI

Take the following steps to ensure a high score on the SSL Labs test.

In the CLI examples below, the name of the SSL virtual server is listed as Ex-vServer - it can be replaced with the name of the SSL virtual server in your environment.

  • Create a custom cipher group that prefers ECDHE and ECDSA cipher suites
add ssl cipher SSL_Labs_Cipher_Group_Q4_2021

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES256-GCM-SHA384

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES128-GCM-SHA256

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384

bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
<!--NeedCopy-->
  • Enable SSL Profiles
set ssl parameter -defaultProfile ENABLED
<!--NeedCopy-->
  • Create an SSL Profile
add ssl profile SSL_Labs_Profile_Q4_2021 -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED -denySSLReneg NONSECURE
<!--NeedCopy-->
  • Unbind the default cipher group from the SSL Profile and bind the custom group
unbind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName DEFAULT

bind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName SSL_Labs_Cipher_Group_Q4_2021
<!--NeedCopy-->
  • Bind the SSL Profile to the SSL virtual server
set ssl vserver "Ex-vServer" -sslProfile SSL_Labs_Profile_Q4_2021
<!--NeedCopy-->

More Settings

SHA1 Certificates

Certificates that are signed with SHA1 are considered weak, and prevents a high grade in the SSL Labs test. If any certificates are SHA1 signed, they should be replaced with an SHA256 certificate and installed on the ADC.

DNS CAA

DNS Certification Authority Authorization (CAA) allows CAs to validate if they are authorized to issue certificates for a domain and provide a contact if something goes wrong.

DNS CAA is not required for an A+ at SSL Labs and is an optional step. You can find out more about DNS CAA here.

Legacy client support

The ECDHE ciphers we use in this guide replace the older slower DHE ciphers. If you have legacy clients that you cannot upgrade, you may have no choice but to enable DHE.

You can enable DHE cipher suites with the following steps:

  • Create and bind a DH key to the SSL Profile
create ssl dhparam DH_Key_Name_Here.key 2048 -gen 2

set ssl profile SSL_Labs_Profile_Q4_2021 -dh ENABLED -dhFile DH_Key_Name_Here.key
<!--NeedCopy-->
  • Bind a DHE cipher suite to the cipher group that we created earlier
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
<!--NeedCopy-->

Firmware Notes

  • Citrix enabled TLS1.2 as a default in firmware version 10.5 build 57

  • The ROBOT vulnerability was addressed in builds 12.0 build 53, 11.1 build 56, 11.0 build 71 and 10.5 build 67 - more details are available here

  • The HSTS (Strict Transport Security) flag became available in 12.0 build 35 - prior builds required a rewrite policy to insert the HSTS header. You cannot use both as the ADC to insert 2 headers which is not allowed.

  • Support for TLS1.2 was added to the VPX appliances in 10.5 build 57. It was available in earlier builds for appliances with dedicated SSL hardware

  • Support for TLS1.3 was added in 12.1 build 49.23 - it must be enabled in the vServer\SSLProfile, and TLS1.3 ciphers (listed) must be bound

  • ECC certificate support was added to the VPX appliances in 12.0 build 57. It was available in earlier builds for appliances with dedicated SSL hardware

  • The Zombie POODLE vulnerability was addressed in builds 12.1 build 50.31, 12.0 build 60.9, 11.1 build 60.14, 11.0 build 72.17, and 10.5 build 69.5. This vulnerability only affects MPX\SDX appliances with Nitrox SSL hardware. MPX\SDX appliances with Coleto Creek are not vulnerable. Disabling CBC-based cipher suites also mitigates this vulnerability. See CTX article for more information

  • The cipher list has been modified to address CBC weaknesses, thus removing 0xc028 and 0x39 ciphers

  • Citrix added TLS1.3 hardware acceleration in 13.0 build 71

Tech Paper: Networking SSL / TLS Best Practices