Product Documentation

Cipher/Protocol Support Matrix on the NetScaler Appliance

Sep 13, 2016

From release 10.5 build 56.22, NetScaler MPX appliances support full hardware optimization for all ciphers. In earlier releases, part of ECDHE/DHE cipher optimization was done in software.

Note: Hardware optimization is not supported for ciphers that are specific to the NetScaler VPX appliance. On the SDX platform, if you do not assign an SSL chip to an instance, optimization is done by software.

The following tables list the support for different ciphers on SSL entities, such as virtual server, front-end, back-end, and internal services. Use the 'show hardware' command to identify whether your appliance has N3 chips.

On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies.

Example 복사

> sh hardware

Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100

Manufactured on: 8/19/2013

CPU: 2900MHZ

Host Id: 1006665862

Serial no: ENUK6298FT

Encoded serial no: ENUK6298FT

Done

메모

  1. TLS-Fallback_SCSV cipher suite is supported on all appliances from release 10.5 build 57.x
  2. HTTP Strict Transport Security (HSTS) support is policy-based.
  3. All SHA-2 signed-certificates (SHA256, SHA384, SHA512) are supported only on the front end and only SHA256 signed-certificates are supported on the back end of all appliances.
  4. ECDSA is supported only on the front-end of MPX appliances that contain N3 chips.

Table1: Support on Virtual Server/Frontend Service/Internal Service

 

MPX/SDX (N2)

MPX/SDX (N3)

VPX

FIPS with firmware 2.2

MPX 14000 FIPS

TLS 1.1/1.2

10.0 

10.0 

10.5-57.x

10.5 58.1108.e 10.5-59.1359.e

ECDHE/DHE

(Example TLS1-ECDHE-RSA-AES128-SHA)

10.5-53.x

10.1-124.x

10.5

11.1/ 10.5-59.1306.e

Not supported

AES-GCM

(Example TLS1.2-AES128-GCM-SHA256)

10.5-53.x

10.5-53.x

11.0-66.x / 11.1

 Not supported

Not supported

SHA-2 Ciphers

(Example TLS1.2-AES-128-SHA256)

10.5-53.x

10.5-53.x

11.0-66.x / 11.1

 Not supported

Not supported

ECDSA 

(Example TLS1-ECDHE-ECDSA-AES256-SHA)

 Not supported 11.1 (only MPX)  Not supported  Not supported Not supported

Table 2: Support on Backend Services

 

MPX/SDX (N2)

MPX/SDX (N3)

VPX

FIPS with firmware 2.2

MPX 14000 FIPS

TLS 1.1/1.2

10.5-59.x/11.0-50.x

10.5-59.x /11.0-50.x

11.0-66.x

10.5 58.1108.e

10.5-59.1359.e

ECDHE/DHE

(Example TLS1-ECDHE-RSA-AES128-SHA)

10.5-58.x/11.0-50.x

10.5-58.x/11.0-50.x

Not supported

11.1/10.5 59.1306.e

Not supported

AES-GCM

(Example TLS1.2-AES128-GCM-SHA256)

11.1

11.1

Not supported

 Not supported

Not supported

SHA-2

(Example TLS1.2-AES-128-SHA256)

11.1

11.1

Not supported

 Not supported

Not supported

ECDSA

(Example TLS1-ECDHE-ECDSA-AES256-SHA)

Not supported Not supported Not supported Not supported Not supported