Netscaler : Enforcing TLSv1.2 and Custom Ciphers

Secure requirements will required SSL to be disabled this includes SSL2 and SSL3, and TLS1.0 and TLSv1.1 should be disabled as well, this leaves TLS1.2 and above, but within that you also have weak Ciphers as well, so the requirement here is to only allow the following:

1. TLSv1.2
2. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
3. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

If you have Citrix Netscaler devices and you have Services using SSL bindings going through them as your external front door services, then the Netscaler will talk to the client separately from talking to the server on behalf of the user, this can be seen below:

This does not apply if you were using a non-SSL binding like below:

Note : If you happen to use a binding that is not SSL then you will need to patch the backend servers, as this guide does not apply to those type of non-SSL bindings

Anyway lets get on with securing the SSL binding, so click into one of the services that are SSL then find the SSL parameters section, where we need to look as the protocols as below in the red box which are wrong, so we need to edit this, so click on the green highlighted pencil icon:

Note : Service being updated is "Autodiscover.Secure-TLS1.2"



Then you will notice you have some tuckboxes available that will look like this:

This will need to look like this, so only TLS1.2 and TLS1.3 are enabled then use the OK button to save that:

Then from the side menu we need Traffic Management > SSL > Cipher Groups as below:

Then we need to Add a new one:

Then give it a name and click the add button as below:

Then you will need to expand aRSA then you will notice we can see the Ciphers we require in the box below highlighted in green:

That should then look like this:

This will then need to be created, however that is not complete yet:

Now if you go back the service binding from earlier called Autodiscover.Secure-TLS1.2 and locate the SSL cipher section, you will notice it look like this, which is wrong as "default" is active.

Click the pencil icon (shown in green) to edit as below

You will then see this, click the Cipher groups option:

Find the policy you created earlier called "SecureCiphers" then select it and click OK:

This will then return you to the configured Ciphers but it is wrong still, the Default should not be there:

Therefore once again, click the pencil icon to edit this, then click on the minus next to Default as below:

That should look like this, minus the default profile, then click OK as below:

That will then confirm the changes to the Cipher profile as below:

Then finally you need to save the running configuration with the save icon: 

You are now successfully compliant to the requirements which in overview are as follows:

1. TLSv1.2
2. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
3. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

This also from a security point of view is a good as below are the vulnerabilities with the "are you vulnerable" answers next to them, all good here as you can see below: 

BEAST attack      Mitigated server-side  

POODLE (SSLv3)    No, SSL 3 not supported

POODLE (TLS)      No

Zombie POODLE     No  

GOLDENDOODLE      No  

OpenSSL 0-Length  No  

Sleeping POODLE   No  

Downgrade attack prevention   Unknown (requires support for at least two protocols, excl. SSL2)

SSL/TLS compression     No

RC4   No

Heartbeat (extension)   No

Heartbleed (vulnerability)    No

Ticketbleed (vulnerability)   No

OpenSSL CCS vuln. (CVE-2014-0224)   No

OpenSSL Padding Oracle vuln.

(CVE-2016-2107)   No

ROBOT (vulnerability)   No