Product Documentation

Configuring ECDHE Ciphers

Aug 19, 2015

The Citrix NetScaler VPX, MPX, and SDX appliances support the ECDHE cipher group in release 10.5 build 53.9 or later. On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies. For a complete list of ciphers supported by the NetScaler appliance, see Ciphers Supported by the NetScaler Appliance.

The following table lists the ciphers supported on VPX instances and MPX appliances.
Cipher Suite VPX MPX
TLS1-ECDHE-RSA-RC4-SHA YES YES
TLS1-ECDHE-RSA-DES-CBC3-SHA YES YES
TLS1-ECDHE-RSA-AES128-SHA YES YES
TLS1-ECDHE-RSA-AES256-SHA YES YES
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 NO YES
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 NO YES
TLS1.2-ECDHE-RSA-AES-128-SHA256 NO YES
TLS1.2-ECDHE-RSA-AES-256-SHA384 NO YES

ECDHE cipher suites use elliptical curve cryptography (ECC). Because of its smaller key size, ECC is especially useful in a mobile (wireless) environment or an interactive voice response environment, where every millisecond is important. Smaller key sizes save power, memory, bandwidth, and computational cost.

A NetScaler appliance supports the following ECC curves:
  • P_256
  • P_384
  • P_224
  • P_521
Note:
  • On the MPX platform, ECC curves 224 and 521 are not supported with the TLS1.2 protocol.
  • If you upgrade from a build earlier than release 10.1 build 121.10, you must explicitly bind ECC curves to your existing SSL virtual servers or front end services. The curves are bound by default to any virtual servers or front end services that you create after the upgrade.

You can bind an ECC curve to SSL front-end entities only. By default all four curves are bound, in the following order: P_256, P_384,P_224,P_521. To change the order, you must first unbind all the curves, and then bind them in the desired order.

To unbind ECC curves and bind an ECC curve to an SSL virtual server by using the command line

At the command prompt, type:

  • unbind ssl vserver <vServerName> -eccCurveName ALL
  • bind ssl vserver <vServerName> -eccCurveName <eccCurveName>

Example

unbind ssl vs v1 –eccCurvename ALL 
bind ssl vserver  v1 -eccCurveName P_224 
> sh ssl vserver v1 
 
	Advanced SSL configuration for VServer v1: 
	DH: DISABLED 
	Ephemeral RSA: ENABLED		Refresh Count: 0 
	Session Reuse: ENABLED		Timeout: 120 seconds 
	Cipher Redirect: DISABLED 
	SSLv2 Redirect: DISABLED 
	ClearText Port: 0 
	Client Auth: DISABLED 
	SSL Redirect: DISABLED 
	Non FIPS Ciphers: DISABLED 
	SNI: DISABLED 
	SSLv2: DISABLED	SSLv3: ENABLED	TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED 
	Push Encryption Trigger: Always 
	Send Close-Notify: YES 
 
	ECC Curve: P_224 
 
1)	Cipher Name: DEFAULT 
	Description: Predefined Cipher Alias 
 Done