Secure requirements will required SSL to be disabled this includes SSL2 and SSL3, and TLS1.0 and TLSv1.1 should be disabled as well, this leaves TLS1.2 and above, but within that you also have weak Ciphers as well, so the requirement here is to only allow the following:
- TLSv1.2
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
If you have Citrix Netscaler devices and you have Services using SSL bindings going through them as your external front door services, then the Netscaler will talk to the client separately from talking to the server on behalf of the user, this can be seen below:
This does not apply if you were using a non-SSL binding like below:
Note : If you happen to use a binding that is not SSL then you will need to patch the backend servers, as this guide does not apply to those type of non-SSL bindings
Anyway lets get on with securing the SSL binding, so click into one of the services that are SSL then find the SSL parameters section, where we need to look as the protocols as below in the red box which are wrong, so we need to edit this, so click on the green highlighted pencil icon:
Note : Service being updated is "Autodiscover.Secure-TLS1.2"
Then you will notice you have some tuckboxes available that will look like this:
This will need to look like this, so only TLS1.2 and TLS1.3 are enabled then use the OK button to save that:
Then from the side menu we need Traffic Management > SSL > Cipher Groups as below:
Then we need to Add a new one:
Then give it a name and click the add button as below:
Then you will need to expand aRSA then you will notice we can see the Ciphers we require in the box below highlighted in green:
That should then look like this:
This will then need to be created, however that is not complete yet:
Now if you go back the service binding from earlier called Autodiscover.Secure-TLS1.2 and locate the SSL cipher section, you will notice it look like this, which is wrong as "default" is active.
You will then see this, click the Cipher groups option:
Find the policy you created earlier called "SecureCiphers" then select it and click OK:
This will then return you to the configured Ciphers but it is wrong still, the Default should not be there:
- TLSv1.2
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
BEAST attack Mitigated server-side