Jump to content
Welcome to our new Citrix community!
  • Scoring an A+ at SSLLabs.com with Citrix NetScaler – Q2 2023 Update


    marco hofmann by Marco Hofmann, CTA

    In 2016 Ryan Butler created a PowerShell script to update a NetScaler configuration to score an A+ at the SSL Labs SSL test. I updated this script to score an A+ in 2023.


    This blog post would not be possible without the groundwork from Ryan Butler and Carl Stalhood. Ryan created the initial script and Carl provided me with a current SSL cipher list for Q2 2023.

    Updates and tests

    Last year, I had a few new Citrix NetScaler Gateway VPX setups, and needed a fast way to get the SSL settings right. Most of the time I used the script by Ryan, but in the meantime it was outdated. I grabbed the script and the provided SSL cipher list by Carl and got a working copy that immediately scored an A+ at SSL Labs. Sadly, I did not take my time to create a pull request over at Ryan’s GitHub to give back. Today I took my time, to tidy up the code, thanks to the Visual Studio Code PowerShell formatter and write up the changelog.

    I tested the latest version of the script against a NetScaler 13.1 VPX (NS13.1 33.47.nc) without any issues. The instance was pre-configured with the previous version of the script. The previous script provided me a B at SSL Labs.

    image-18.png.73c1f396839b42c0cdc67dd23931cb91.pngSSL Labs Before

    After I let the latest version of the script optimize the VPX appliance, we are back to an A+. Example:

    .\set-nsssl.ps1 -nsip "" -adminpassword "secret" -enablesslprof -nolb -nocsw -ciphergroupname "custom-ssllabs-cipher-2022" -sslprofile "custom-ssllabs-profile-2022" -nosave

    image-19.png.13fd0ecd2287f725506263b76944f6b2.pngSSL Labs After

    The script

    The latest version of the script that contains my Pull Request can be found over at Ryan’s GitHub.



    Recent CUGC blogs:

    User Feedback

    Recommended Comments

    Could you make a parameter in the script that just configures it in the Netscaler and does not bind it to any virtual server? It should do things like allow secure renegotiation, create a new cipher group, etc but without touching any virtual server.
    Link to comment
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...