Jump to content
Welcome to our new Citrix community!

Disable SSL 2.0 and 3.0 on Netscaler


Recommended Posts

Our security team has suggested Vulnerability on Netscaler and suggested to disable  SSLv2 and SSLv3 on Netscaler.

 

Now, My questions are:-

 

1.Where can i check and disable those on my Netscaler, on Vserver  config or Services or at appliance level itself.

2. Would there be any impact on the users connection.

 

Please Suggest.Thanks In advance!!

 

Link to comment
Share on other sites

You should be able to open each SSL vServer, scroll down to SSL Parameters, click the pencil, and uncheck SSL v3.

 

Another option is to enable the Default SSL Profile at Traffic Management > SSL, and on the bottom right is change advanced SSL Parameters. On this page is a checkbox to enable the Default SSL Profile. If you do that then all SSL vServers will get the same SSL settings and SSLv3 is disabled automatically.

  • Like 2
Link to comment
Share on other sites

if you prefer to use CLI , you can use this to diable it per vip:

 

set ssl vserver vip_name -ssl3 DISABLED

 

or as Carl already said, you can use the default profile or a new custom one to disable for all vips.

 

The users will not be able to connect to your vips useing  SSLv2 or v3.

I don't think this would be an issue as they are very old. Nowdays everybody is using TLS 1.2.

 

  • Like 1
Link to comment
Share on other sites

On 5/18/2019 at 5:26 AM, Carl Stalhood1709151912 said:

You should be able to open each SSL vServer, scroll down to SSL Parameters, click the pencil, and uncheck SSL v3.

 

Another option is to enable the Default SSL Profile at Traffic Management > SSL, and on the bottom right is change advanced SSL Parameters. On this page is a checkbox to enable the Default SSL Profile. If you do that then all SSL vServers will get the same SSL settings and SSLv3 is disabled automatically.

Thanks Carl and Mihai!!

Link to comment
Share on other sites

  • 4 years later...
On 5/18/2019 at 7:56 AM, Carl Stalhood1709151912 said:

You should be able to open each SSL vServer, scroll down to SSL Parameters, click the pencil, and uncheck SSL v3.

 

Another option is to enable the Default SSL Profile at Traffic Management > SSL, and on the bottom right is change advanced SSL Parameters. On this page is a checkbox to enable the Default SSL Profile. If you do that then all SSL vServers will get the same SSL settings and SSLv3 is disabled automatically.

How can we check if those internal service being used by any services/VIP's? I mean prior to disablement of SSLv3 for each of internal service

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...