Product Documentation

Configuring Cipher Redirection

Aug 20, 2013

During the SSL handshake, the SSL client (usually a web browser) announces the suite of ciphers that it supports, in the configured order of cipher preference. From that list, the SSL server then selects a cipher that matches its own list of configured ciphers.

If the ciphers announced by the client do not match those configured on the SSL server, the SSL handshake fails, and the failure is announced by a cryptic error message displayed in the browser. These messages rarely mention the exact cause of the error.

With cipher redirection, you can configure an SSL virtual server to deliver accurate, meaningful error messages when an SSL handshake fails. When SSL handshake fails, the NetScaler appliance redirects the user to a previously configured URL or, if no URL is configured, displays an internally generated error page.

To configure cipher redirection by using the command line interface

At the command prompt, type the following commands to configure cipher redirection and verify the configuration:

  • set ssl vserver <vServerName> -cipherRedirect < ENABLED | DISABLED> -cipherURL < URL>
  • show ssl vserver <vServerName>

Example

 
> set ssl vserver vs-ssl -cipherRedirect ENABLED -cipherURL http://redirectURl 
 Done 
> show ssl vserver vs-ssl 
 
        Advanced SSL configuration for VServer vs-ssl: 
        DH: DISABLED 
        Ephemeral RSA: ENABLED          Refresh Count: 1000 
        Session Reuse: ENABLED          Timeout: 600 seconds 
        Cipher Redirect: ENABLED        Redirect URL: http://redirectURl 
        SSLv2 Redirect: DISABLED 
        ClearText Port: 0 
        Client Auth: DISABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
        SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED 
 
1)      CertKey Name: Auth-Cert-1       Server Certificate 
 
1)      Cipher Name: DEFAULT 
        Description: Predefined Cipher Alias 
 Done

To configure cipher redirection by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
  2. In the SSL Parameters section, select Enable Cipher Redirect, and specify a redirect URL.