Jump to content
Welcome to our new Citrix community!

Netscaler ADC - using null cipher to decode backend ssl traffic for troubleshooting

Recommended Posts



I have a question:

Is it possible to activate a null cipher for the purpose of troubleshooting any ssl-encrypted communication on Netscaler ADC?


I could imagine that we could temporary enable null ciphers on the backend ssl-profile to decode any normally highly-encrypted traffic.

I think the advantage would be that we do not need any permanent nstrace-capsslkeys if the failure within the customer application is only happening rarely and is not reproduceable.

I also think that the wireshark decode would be much faster and there would be a better handling.


I already tried so, but I get a failure <Fatal (2) - Unsupported Certificate (43)> message in wireshark and the bound service is not coming up.
If I directly connect to the service using curl (curl-paramter; --insecure --cipher rsa_null_sha) it seems to work?

Do you know what I am doing wrong?


## Snapshot of the confíguration I tested:

(Netscaler 11.1 on sdx - within admin-Partition)

bind ssl cipher MY_BACKEND_NULLCIPHER -cipherName SSL3-NULL-MD5 -cipherPriority 1
bind ssl cipher MY_BACKEND_NULLCIPHER -cipherName SSL3-NULL-SHA -cipherPriority 2

add ssl profile sslprof-my-backend_nullcipher -sslProfileType BackEnd -eRSA DISABLED -sessReuse DISABLED -tls1 DISABLED -tls11 DISABLED
bind ssl profile sslprof-my-backend_nullcipher -cipherName MY_BACKEND_NULLCIPHER -cipherPriority 1
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_256
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_384
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_224
bind ssl profile sslprof-my-backend_nullcipher -eccCurveName P_521

add server srv-
add service svc- srv- SSL 943 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service svc- -monitorName https-ecv
set ssl service svc- -sslProfile sslprof-my-backend_nullcipher

bind lb vserver vs- svc-


Or do you have any other solution which also works for admin-partitions?


Kind Regards,


Link to comment
Share on other sites

Hi Vamsi,


I expected that a null cipher is not the same as a weak cipher.

Using a null cipher means that the content is not encrypted.


see also a snapshot from WIKI - https://en.wikipedia.org/wiki/Null_encryption 

In modern cryptography, null encryption (or selecting null cipher or NONE cipher) is choosing not to use encryption in a system where various encryption options are offered. When this option is used, the text is the same before and after encryption, which can be practical for testing/debugging, or authentication-only communication. In mathematics such a function is known as the identity function.
Examples of this are the "eNull" cipher suite in OpenSSL[[1]|https://en.wikipedia.org/wiki/Null_encryption#cite_note-1] and the "NULL Encryption Algorithm" in IPSec.[[2]|https://en.wikipedia.org/wiki/Null_encryption#cite_note-2]


So I expected that the usage of a null cipher shows traffic in cleartext (not encrypted).

I tried the null cipher with a curl-client and the trace seems to be without encryption (= used Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)) => Wireshark <Follow SSL Stream> shows the cleartext output.

But when I try the same using the netscaler as the ssl-client system I get an "unsupported certificate" failure message.


Kind Regards

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...