Jump to content
Welcome to our new Citrix community!

Disabling SSLv3, TLS 1.0 on NetScaler


Recommended Posts

Hi,

 

We are looking to disable SSLv3, TLS 1.0 on our NetSclaer Gateway, but have some questions as below.  NetScaler release is 11.1.  Please advice.

 

Q1: Is it just matter of unchecking the checkboxes for SSLv3/TLS 1.0 for Virtual Server or these should be disabled on all services which show up by typing "sh ssl service"

 

Q2: Do we also need to remove related cipher groups and those cipher groups from SSL profiles?

 

If you have any step by step guide, then please provide url.  Many thanks in advance.

 

Kind regards,

Link to comment
Share on other sites

43 minutes ago, Sheetal Gandhi1709156601 said:

Q1: Is it just matter of unchecking the checkboxes for SSLv3/TLS 1.0 for Virtual Server or these should be disabled on all services which show up by typing "sh ssl service"

 

VIP for Client-->NS communication (Public facing)

Service is for NS-->Server communication

 

For best practices, please disable on VIP & Services

 

46 minutes ago, Sheetal Gandhi1709156601 said:

Q2: Do we also need to remove related cipher groups and those cipher groups from SSL profiles?

 

I believe those ciphers will not be used when you disable protocoles

 

Again For best practices, create a new cipher group and bind it to VIP/Services

 

https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/ns-ssl-customize-ssl-config-con/ns-ssl-user-defined-cipher-groups-tsk.html

 

Thanks,

Vamsi

  • Like 1
Link to comment
Share on other sites

You can also create an SSL profile that disables sslv3 and tls 1.0 and bind to vservers when needed. If there is a conflict, SSL Profiles override the SSL parameters per vserver.  This makes it easier to put multiple settings into effect and manage settings in bulk per application.  Define profile once and apply where needed.  Ciphers can still be managed via cipher groups and then associated with the profile.  https://docs.citrix.com/en-us/netscaler/12/ssl/config-ssloffloading/ns-ssl-profiles-tsk.html

 

There is also a mechanism for setting a default ssl profile which will effectively allow you to have ssl v3 / tls 1.0 off by default (and other settings) on all vservers. . 

https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-profiles1.html

 https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-profiles1/ssl-enabling-the-default-profile.html

Note: That this is a script that is downloaded where you get your firmware (usually under components under the firmware section).  Set your configuration before running the script.  Backup the config before applying as there is no undo command; once a default profile is enabled, you have a default profile. You can then edit its values or configure alternate profiles to override.

Link to comment
Share on other sites

  • 4 years later...
On 4/9/2018 at 5:01 PM, Sheetal Gandhi1709156601 said:

Hi,

 

We are looking to disable SSLv3, TLS 1.0 on our NetSclaer Gateway, but have some questions as below.  NetScaler release is 11.1.  Please advice.

 

Q1: Is it just matter of unchecking the checkboxes for SSLv3/TLS 1.0 for Virtual Server or these should be disabled on all services which show up by typing "sh ssl service"

 

Q2: Do we also need to remove related cipher groups and those cipher groups from SSL profiles?

 

If you have any step by step guide, then please provide url.  Many thanks in advance.

 

Kind regards,

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...