Jump to content
Welcome to our new Citrix community!

Netscaler ADC - using null cipher to decode backend ssl traffic for troubleshooting


Recommended Posts

Hi,

 

I have a question:

Is it possible to activate a null cipher for the purpose of troubleshooting any ssl-encrypted communication on Netscaler ADC?

 

I could imagine that we could temporary enable null ciphers on the backend ssl-profile to decode any normally highly-encrypted traffic.

I think the advantage would be that we do not need any permanent nstrace-capsslkeys if the failure within the customer application is only happening rarely and is not reproduceable.

I also think that the wireshark decode would be much faster and there would be a better handling.

 

I already tried so, but I get a failure <Fatal (2) - Unsupported Certificate (43)> message in wireshark and the bound service is not coming up.
If I directly connect to the service using curl (curl-paramter; --insecure --cipher rsa_null_sha) it seems to work?

Do you know what I am doing wrong?

 

## Snapshot of the confíguration I tested:

(Netscaler 11.1 on sdx - within admin-Partition)

add ssl cipher MY_BACKEND_NULLCIPHER
bind ssl cipher MY_BACKEND_NULLCIPHER -cipherName SSL3-NULL-MD5 -cipherPriority 1
bind ssl cipher MY_BACKEND_NULLCIPHER -cipherName SSL3-NULL-SHA -cipherPriority 2

add ssl profile sslprof-my-backend_nullcipher -sslProfileType BackEnd -eRSA DISABLED -sessReuse DISABLED -tls1 DISABLED -tls11 DISABLED
bind ssl profile sslprof-my-backend_nullcipher -cipherName MY_BACKEND_NULLCIPHER -cipherPriority 1
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_256
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_384
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_224
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_521

add server srv-10.1.1.1 10.1.1.1
add service svc-10.1.1.1-tcp943 srv-10.1.1.1 SSL 943 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service svc-10.1.1.1-tcp943 -monitorName https-ecv
set ssl service svc-10.1.1.1-tcp943 -sslProfile sslprof-my-backend_nullcipher

bind lb vserver vs-10.1.2.1-tcp443-ssl svc-10.1.1.1-tcp943

 

Or do you have any other solution which also works for admin-partitions?

 

Kind Regards,

Chris

Link to comment
Share on other sites

Hi Vamsi,

 

I expected that a null cipher is not the same as a weak cipher.

Using a null cipher means that the content is not encrypted.

 

see also a snapshot from WIKI - https://en.wikipedia.org/wiki/Null_encryption 

In modern cryptography, null encryption (or selecting null cipher or NONE cipher) is choosing not to use encryption in a system where various encryption options are offered. When this option is used, the text is the same before and after encryption, which can be practical for testing/debugging, or authentication-only communication. In mathematics such a function is known as the identity function.
Examples of this are the "eNull" cipher suite in OpenSSL[[1]|https://en.wikipedia.org/wiki/Null_encryption#cite_note-1] and the "NULL Encryption Algorithm" in IPSec.[[2]|https://en.wikipedia.org/wiki/Null_encryption#cite_note-2]

 

So I expected that the usage of a null cipher shows traffic in cleartext (not encrypted).

I tried the null cipher with a curl-client and the trace seems to be without encryption (= used Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)) => Wireshark <Follow SSL Stream> shows the cleartext output.

But when I try the same using the netscaler as the ssl-client system I get an "unsupported certificate" failure message.

 

Kind Regards
Chris

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...