Product Documentation

SSL Profiles

May 20, 2015
You can use an SSL profile to specify how a NetScaler ADC processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters. You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
  • Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.
  • Backend profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.

Unlike a TCP or HTTP profile, an SSL profile is optional. Therefore, there is no default SSL profile. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.

The following table lists the parameters that are part of each profile.

Front end profile Backend profile
cipherRedirect, cipherURL denySSLReneg
clearTextPort* encryptTriggerPktCount
clientAuth, clientCert nonFipsCiphers
denySSLReneg pushEncTrigger
dh, dhFile, dhCount pushEncTriggerTimeout
dropReqWithNoHostHeader pushFlag
encryptTriggerPktCount quantumSize
eRSA, eRSACount serverAuth
insertionEncoding commonName
nonFipsCiphers sessReuse, sessTimeout
pushEncTrigger SNIEnable
pushEncTriggerTimeout ssl3
pushFlag sslTriggerTimeout
quantumSize strictCAChecks
redirectPortRewrite tls1
sendCloseNotify
sessReuse, sessTimeout
SNIEnable
ssl3
sslRedirect
sslTriggerTimeout
strictCAChecks
tls1, tls11, tls12
* The clearTextPort parameter applies only to an SSL virtual server.

An error message appears if you try to set a parameter that is not part of the profile (for example, if you try to set the clientAuth parameter in a backend profile).

Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and UndefAction Data, are not part of any of the above profiles, because these parameters are independent of entities.

An SSL profile supports the following operations:
  • Add—Creates an SSL profile on the NetScaler ADC. Specify whether the profile is front end or backend. Front end is the default.
  • Set—Modifies the settings of an existing profile.
  • Unset—Sets the specified parameters to their default values. If you do not specify any parameters, an error message appears. If you unset a profile on an entity, the profile is unbound from the entity.
  • Remove—Deletes a profile. A profile that is being used by any entity cannot be deleted. Clearing the configuration deletes all the entities. As a result, the profiles are also deleted.
  • Show—Displays all the profiles that are available on the NetScaler ADC . If a profile name is specified, the details of that profile are displayed. If an entity is specified, the profiles associated with that entity are displayed.

To create an SSL profile by using the command line

  • To add an SSL profile, type: add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )]
  • To modify an existing profile, type: set ssl profile <name>
  • To unset an existing profile, type: unset ssl profile <name> [-dh] [-dhFile] [-dhCount] [-eRSA]…
  • To unset an existing profile from an entity, type: unset ssl vserver <vServerName> –sslProfile
  • To remove an existing profile, type: rm ssl profile <name>
  • To display an existing profile, type: sh ssl profile <name>

Examples

  1. Adding a front end (default) profile:
    > add sslprofile p1  
     		Done
  2. Adding a backend profile:
    > add sslprofile p2 -sslprofileType backend -tls1 disabled 
    		Done 
  3. Enabling settings on a backend profile:
    > set sslprofile p2 -serverAuth eNABLED 
     Done 
  4. Enabling settings on a frontend profile:
    > set sslprofile p1 -clientauth eNABLED -clientcert optional 
    Done 
    sh ssl profile p1 
    1)      Configuration for Front-End SSL profile 
            Name: p1 
            DH: DISABLED 
            Ephemeral RSA: ENABLED          Refresh Count: 0 
            Session Reuse: ENABLED          Timeout: 120 seconds 
            Non FIPS Ciphers: DISABLED 
            Cipher Redirect: DISABLED 
            Client Auth: ENABLED    Client Cert Required: Optional 
            SSL Redirect: DISABLED 
            SNI: DISABLED 
            SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED 
            Push Encryption Trigger: Always 
            PUSH encryption trigger timeout:        1 ms 
            Send Close-Notify: YES 
            Push flag:      0x0 (Auto) 
            Deny SSL Renegotiation          NO 
            SSL quantum size:               8 kB 
            Strict CA checks:               NO 
            Encryption trigger timeout      100 mS 
            Encryption trigger packet count:        45 
            Subject/Issuer Name Insertion Format:   Unicode 
            Strict Host Header check for SNI enabled SSL sessions:          NO 
     Done 
    
  5. Settings parameters to their default values:
    > unset sslprofile p1 -clientauth -clientcert 
     Done 
    > sh ssl profile p1 
    1)      Configuration for Front-End SSL profile 
            Name: p1 
            DH: DISABLED 
            Ephemeral RSA: ENABLED          Refresh Count: 0 
            Session Reuse: ENABLED          Timeout: 120 seconds 
            Non FIPS Ciphers: DISABLED 
            Cipher Redirect: DISABLED 
            Client Auth: DISABLED 
            SSL Redirect: DISABLED 
            SNI: DISABLED 
            SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED 
            Push Encryption Trigger: Always 
            PUSH encryption trigger timeout:        1 ms 
            Send Close-Notify: YES 
            Push flag:      0x0 (Auto) 
            Deny SSL Renegotiation          NO 
            SSL quantum size:               8 kB 
            Strict CA checks:               NO 
            Encryption trigger timeout      100 mS 
            Encryption trigger packet count:        45 
            Subject/Issuer Name Insertion Format:   Unicode 
            Strict Host Header check for SNI enabled SSL sessions:          NO 
     Done 
  6. Deleting a profile:
    > rm sslprofile p1 
    Done
  7. Binding a profile to a virtual server:
    > set ssl vserver v1 -sslprofile p3 
     Done
  8. Unbinding a profile from a virtual server:
    >unset ssl vserver v1 -sslprofile  
     		Done

To create an SSL profile by using the configuration utility

Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile.

Enabling Stricter Control on Client Certificate Validation

The NetScaler appliance accepts valid Intermediate-CA certificates if they are issued by a single Root-CA. That is, if only the Root-CA certificate is bound to the virtual server, and any intermediate certificate sent with the client certificate is validated by that Root-CA, the appliance trusts the certificate chain and the handshake is successful.

However, if a client sends a chain of certificates in the handshake, none of the intermediate certificates can be validated by using a CRL or OCSP responder unless that certificate is bound to the SSL virtual server. Therefore, even if one of the intermediate certificates is revoked, the handshake is successful. As part of the handshake, the SSL virtual server sends the list of CA certificates that are bound to it. For stricter control, you can configure the SSL virtual server to accept only a certificate that is signed by one of the CA certificates bound to that virtual server. To do so, you must enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server. The handshake fails if the client certificate is not signed by one of the CA certificates bound to the virtual server.

For example, say two client certificates, clientcert1 and clientcert2, are signed by the intermediate certificates Int-CA-A and Int-CA-B, respectively. The intermediate certificates are signed by the root certificate Root-CA. Int-CA-A and Root-CA are bound to the SSL virtual server. In the default case (ClientAuthUseBoundCAChain disabled), both clientcert1 and clientcert2 are accepted. However, if ClientAuthUseBoundCAChain is enabled, only clientcert1 is accepted by the NetScaler appliance

To enable stricter control on client certificate validation by using the command line

At the NetScaler command prompt, type:set ssl profile <name> -ClientAuthUseBoundCAChain Enabled

To enable stricter control on client certificate validation by using the configuration utility

  1. Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile, or select an existing profile.
  2. Select Enable Client Authentication using bound CA Chain.