Jump to content
Welcome to our new Citrix community!
  • Tech Paper: Networking SSL / TLS Best Practices


    Steven Wright
    • Validation Status: Validated
      Summary: This Tech Paper aims to convey what someone skilled in ADC would configure as a generic implementation to receive an A+ grade at Qualys SSL Labs.
      Assigned To: Steven Wright
      Has Video?: No

    Tech Paper: Networking SSL / TLS Best Practices

    February 21, 2023

    Author:  Steven Wright

     

    Overview

    This Tech Paper aims to convey what someone skilled in ADC would configure as a generic implementation to receive an A+ grade at Qualys SSL Labs.

    Qualys SSL Labs performs a robust series of tests and provides a scorecard that you can use to improve your configuration. The scan is free and only takes about a minute to complete.

    Qualys actively develops SSL Labs. Tests are likely to change as new protocols are created and vulnerabilities found. It is good practice to test sites regularly to make sure that any new vulnerabilities are not exposed.

     

    NOTE:
    Talk to your security team about your deployment. Security experts say SSL Labs A+ is a good general target, but it may not fit the needs of your organization.

    Configuration Items that Need to be Validated

    • Certificates - Is the full chain provided and trusted? Is the signature algorithm secure?
    • Protocols, Keys and Cipher Support - Which SSL and TLS protocol versions are supported? Which cipher suites are preferred and in what order? Do the provided cipher suites support forward secrecy?
    • TLS Handshake Simulation - Determines which protocol and cipher are negotiated by several different clients and browsers
    • Protocol Details - Is Secure Renegotiation supported? Is strict transport security (HSTS) supported?
    • Known Vulnerabilities - Is the server vulnerable to attacks such as POODLE, BEAST, or TLS downgrade?

    Once SSL Labs completes testing, it presents a letter grade along with a point scale for each of 4 categories:

    1 Certificate

    2 Protocol Support

    3 Key Exchange

    4 Cipher Strength

    Each of the categories receives a numerical score that SSL Labs then averages into a total. Some special cases and configurations that SSL Labs recommends against, such as having SSLv3 enabled, can limit your final grade. You can find complete documentation on how SSL Labs grades servers here.

    Implementation Concerns

    SSL Profiles

    This article uses SSL Profiles. When first enabled, SSL Profiles sets all SSL virtual servers to use the default profile.

    SSL profiles take precedence over global and per virtual server SSL parameters.

    Client support

    Some of the configuration steps in this article can cause connectivity issues with old clients and browsers. For example, Internet Explorer 11 on Windows 7 and 8.1 only supports older cipher suites and, other older browsers may lack support for TLS1.2 and ECC ciphers entirely. In cases where support is missing, the client can experience error messages and an inability to display the site.

    SSL Labs have a “Test your browser” button on its front page to help determine your needs.

    Citrix Receiver/Workspace app Cipher Support for Gateway deployments

    Review the following articles regarding client cipher support when deploying a gateway virtual server for virtual apps and desktops:

    Note: See the Firmware Notes section for required builds and other notes regarding specific ADC firmware

    Basic Steps - GUI

    Take the following steps to ensure a high score on the SSL Labs test.

    • Ensure that the ADC is running a recent firmware release - 13.0 build 71 or later is recommended to take advantage of TLS1.3 hardware acceleration

    • Ensure that the certificate chain is complete and trusted

      • Root CAs do not always directly sign certificates. Instead, a root CA often uses an intermediary to sign a certificate
      • Install the intermediate certificate on the ADC. Link it to the server certificate you bound to the virtual server
      • Intermediate certificates are provided by the vendor that provides the server certificate, often in a ‘certificate bundle’. They can usually be found on the vendor’s public site
      • You may need to install and link multiple intermediate certificates. For the server certificate to function, the ADC must send a complete chain. A complete chain ends with a certificate signed by one of the client’s trusted root CAs
      • As the client already has the trusted root CA, you don’t need to install and link it on the ADC
      • To install an intermediate certificate, go to: Traffic Management > SSL > Certificates > CA Certificates and choose Install (Note: earlier builds of Citrix ADC do not have the ‘CA Certificates’ option in the GUI)
      • Link an intermediate by selecting the certificate and choosing link from the action menu
      • If the correct intermediate certificate is installed, it is automatically populated in the linking menu

    tech-papers_networking-tls-best-practices_ca-cert.png.cb7c9b628eb764885233531a7971f8b1.png

    tech-papers_networking-tls-best-practices_cert-link.png.45fbc223420fdaf8b5dad02e13da2b78.png

    tech-papers_networking-tls-best-practices_cert-link-2.png.e47f6e993c7ffc89516b7f09b377319d.png

    • Create a custom cipher group that provides Forward Secrecy (FS)
      • Go to Traffic Management > SSL > Cipher Groups and choose Add
      • Name the cipher group “SSL_Labs_Cipher_Group_Q4_2021”
      • Click Add then expand the ALL section - select the following cipher suites:
        • TLS1.3-AES256-GCM-SHA384
        • TLS1.3-AES128-GCM-SHA256
        • TLS1.3-CHACHA20-POLY1305-SHA256
        • TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
        • TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
        • TLS1.2-ECDHE-ECDSA-AES256-SHA384
        • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
      • Click the > right arrow to move the ciphers from the Available column to the Configured column
      • Click Create

    tech-papers_networking-tls-best-practices_cipher-group1.png.9781fcbbfa0e8a4f3ad06d4963cdc0cd.png

    • Enable SSL Profiles

    Navigate to Traffic Management > SSL > Change advanced SSL settings, scroll down, and select Enable Default Profile.

    tech-papers_networking-tls-best-practices_default-profile-select.png.6f9ef4a4cd9c304ecbb370ee53ffe932.png

    SSL Profiles sets all SSL virtual servers to use the default profile when first enabled. As existing per virtual server SSL settings are removed, the ADC will prompt you to confirm.

    tech-papers_networking-tls-best-practices_default-confirm.png.8bddcada57ba3444e04e113e8b157893.png

    • Create an SSL Profile
      • Navigate to System > Profiles > SSL Profile, and select Add

        tech-papers_networking-tls-best-practices_ssl_profile.png.990c19fa4ef55b0b134002016e269223.png

      • Name the profile “SSL_Labs_Profile_Q4_2021”
      • Scroll to Deny SSL Renegotiation and select NONSECURE to allow only clients that support RFC 5746 to renegotiate
      • Scroll to HSTS, tick HSTS, and specify a Max Age of 157680000 seconds
      • Scroll to Protocol and select only TLSv12 and TLSv13 tech-papers_networking-tls-best-practices_tls12-13.png.0240ae58a049437f8066bceb03de413c.png
      • Scroll to the end of the form and select OK
      • Scroll to SSL Ciphers, select the pencil icon to edit, then click Remove All
      • Click Add and add the cipher group we created earlier tech-papers_networking-tls-best-practices_ssl_profile-cipher-list.png.2822a53f8f75928869b317725fac7be6.png
      • Scroll to the end of the form and select Done
    • Bind the SSL Profile to the SSL virtual server
      • On the selected virtual server, select the pencil icon to edit the bound SSL Profile
      • Select the SSL Profile we created from the drop-down list
      • Click OK

    Basic Steps - CLI

    Take the following steps to ensure a high score on the SSL Labs test.

    In the CLI examples below, the name of the SSL virtual server is listed as Ex-vServer - it can be replaced with the name of the SSL virtual server in your environment.

    • Create a custom cipher group that prefers ECDHE and ECDSA cipher suites
    add ssl cipher SSL_Labs_Cipher_Group_Q4_2021bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES256-GCM-SHA384bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES128-GCM-SHA256bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
     
    • Enable SSL Profiles
    set ssl parameter -defaultProfile ENABLED
     
    • Create an SSL Profile
    add ssl profile SSL_Labs_Profile_Q4_2021 -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED -denySSLReneg NONSECURE -HSTS ENABLE -maxage 157680000
     
    • Unbind the default cipher group from the SSL Profile and bind the custom group
    unbind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName DEFAULTbind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName SSL_Labs_Cipher_Group_Q4_2021
     
    • Bind the SSL Profile to the SSL virtual server
    set ssl vserver "Ex-vServer" -sslProfile SSL_Labs_Profile_Q4_2021
     

     

    More Settings

    SHA1 Certificates

    Certificates that are signed with SHA1 are considered weak, and prevents a high grade in the SSL Labs test. If any certificates are SHA1 signed, they should be replaced with an SHA256 certificate and installed on the ADC.

    DNS CAA

    DNS Certification Authority Authorization (CAA) allows CAs to validate if they are authorized to issue certificates for a domain and provide a contact if something goes wrong.

    DNS CAA is not required for an A+ at SSL Labs and is an optional step. You can find out more about DNS CAA here.

    Legacy client support

    The ECDHE ciphers we use in this guide replace the older slower DHE ciphers. If you have legacy clients that you cannot upgrade, you may have no choice but to enable DHE.

    Enable DHE cipher suites in the GUI

    • Go to Traffic Management > SSL and select Create Diffie-Hellman (DH) key

    tech-papers_networking-tls-best-practices_create-dh-key.png.8642470298399267364e620136e785b7.png

    • Name the Diffie-Hellman key “DH_Key_Name_Here.key”

    • Enter the parameter size (Bits). Must be between 512 and 2048

    • Choose the Diffie-Hellman generator (2 or 5)

    • Select Create Depending on the key size selected, this could take quite some time to complete

     

    NOTE:
    Do not navigate past this screen until it completes

    tech-papers_networking-tls-best-practices_config-dh-param.png.c9b4e37408dd9589a6c8fc07097a6487.png

    • Navigate to System > Profiles > SSL Profile

    • Select the SSL_Labs_Profile_Q4_2021 profile and choose Edit

    • Select the pencil icon

    • Scroll down to the Enable DH Param check box and select it

    • Choose the DH key you just created

    tech-papers_networking-tls-best-practices_ssl_enable-dh-param-and-key.png.3f8e77527d52e48d24c6925d1578bd41.png

    • Scroll down and select Okay

    • Bind a DHE cipher suite to the cipher group that we created earlier

    • Navigate to Traffic Management > SSL > Cipher Groups

    • Select the TLS1.2-DHE-RSA-AES256-GCM-SHA384 cipher

    tech-papers_networking-tls-best-practices_config-cipher-group-select.png.18ad5085aa2d76860cf6c8cdc7d383a7.png

    • Click the arrow to add it to the Cipher Group

    tech-papers_networking-tls-best-practices_config-cipher-group-configured.png.1d7149d99f650b2b15fd7d6ab1902ee6.png

    Enable DHE ciper suites in the CLI

    • Create and bind a DH key to the SSL Profile (CLI)
    create ssl dhparam DH_Key_Name_Here.key 2048 -gen 2set ssl profile SSL_Labs_Profile_Q4_2021 -dh ENABLED -dhFile DH_Key_Name_Here.key
     
    • Bind a DHE cipher suite to the cipher group that we created earlier
    bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
     

    Firmware Notes

    • Citrix enabled TLS1.2 as a default in firmware version 10.5 build 57

    • The ROBOT vulnerability was addressed in builds 12.0 build 53, 11.1 build 56, 11.0 build 71 and 10.5 build 67 - more details are available here

    • The HSTS (Strict Transport Security) flag became available in 12.0 build 35 - prior builds required a rewrite policy to insert the HSTS header. You cannot use both as the ADC to insert 2 headers which is not allowed.

    • Support for TLS1.2 was added to the VPX appliances in 10.5 build 57. It was available in earlier builds for appliances with dedicated SSL hardware

    • Support for TLS1.3 was added in 12.1 build 49.23 - it must be enabled in the vServer SSL Parameters or added to an enhanced SSL Profile, and TLS1.3 ciphers (listed) must be bound. TLS1.3 is not supported on legacy SSL profiles

    • ECC certificate support was added to the VPX appliances in 12.0 build 57. It was available in earlier builds for appliances with dedicated SSL hardware

    • The Zombie POODLE vulnerability was addressed in builds 12.1 build 50.31, 12.0 build 60.9, 11.1 build 60.14, 11.0 build 72.17, and 10.5 build 69.5. This vulnerability only affects MPX\SDX appliances with Nitrox SSL hardware. MPX\SDX appliances with Coleto Creek are not vulnerable. Disabling CBC-based cipher suites also mitigates this vulnerability. See CTX article for more information

    • The cipher list has been modified to address CBC weaknesses, thus removing 0xc028 and 0x39 ciphers

    • Citrix added TLS1.3 hardware acceleration in 13.0 build 71


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...