Jump to content
Welcome to our new Citrix community!

disablle tl1.0 and tls1.1 on netscaler


Recommended Posts

vulnerability scan on netscalers into our environment  suggested to disbale  tls1.0, 1.1 .

we have alredy dsbaled sslv2, sslv3.

 

we are planning only to keep tls1.2 on all netscaler managment servcies.

 

i just want to make sure if it is recommended thing or not.

 

secondly if i am keeping only tls1.2 , enalbled on netscaler maangment intefaces, do i need to check other things like communication  our monitoring tool and NMAS .

will ti be affectiong on VIPS which have tls1.1, tls1.0 enabled.

Link to comment
Share on other sites

You should be disabling TLS 1.0 and TLS 1.1 everywhere but it is [arguably] more critical on externally accessible resources, so start there.

 

In MAS/ADM you can easily modify SSL settings, see https://docs.citrix.com/en-us/netscaler-mas/12/manage-system-settings/how-to-configure-ssl-settings-for-mas.html.

 

Once the protocols are sorted out, you will also need to remove insecure ciphers. The TLS 1.2/TLS 1.3 ciphers below were adequate for an A+ rating in October 2019 but as Johannes mentioned, certain older clients will not be able to connect. You can get all this info if you do a scan of your sites with SSL Labs (https://www.ssllabs.com/ssltest/).

 

Quote

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.3-AES256-GCM-SHA384
TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES128-GCM-SHA256

 

Link to comment
Share on other sites

On 12/3/2019 at 12:13 AM, Gregor Blaj said:

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.3-AES256-GCM-SHA384
TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES128-GCM-SHA256

 

the order is not perfect. TLS 1.3 should be on top, as they may get processed top down. I'd use this POLY CHACHA on top, always the 256 first, the 128 on 2nd. Just a suggestion.

 

I would rather go with this:

TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES256-GCM-SHA384
TLS1.3-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

Link to comment
Share on other sites

No. They simply are not used. But don't use too many ciphers, ciphers may be buggy, the more you're using, the more likely one of them is buggy.

 

The only thing you have to do is bringing ciphers into a proper order: the stronger they are the more up they have to be.

 

You have to distinguish between a gateway or company owned ressource, only available to employees and a public website. I don't want to not sell anything to customers, just to be extra secure. But I want to get the maximum security I can for employees

Link to comment
Share on other sites

  • 5 weeks later...

Hi All, a quick question related to this topic.

If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers.  

Do you have an idea which older Receiver versions will have issues ?

Is this known or listed somewhere ?

 

I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5.  

I noticed SSLLABS is making it harded to score an A+ rating from january 2020.  If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. 

        on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020."

 

Thanks for you thoughts,

Greetings,

  Chris

Link to comment
Share on other sites

16 hours ago, Chris Marreel said:

Hi All, a quick question related to this topic.

If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers.  

Do you have an idea which older Receiver versions will have issues ?

Is this known or listed somewhere ?

 

I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5.  

I noticed SSLLABS is making it harded to score an A+ rating from january 2020.  If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. 

        on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020."

 

Thanks for you thoughts,

Greetings,

  Chris

 

The following article shows when TLS support was introduced for each Receiver version, https://support.citrix.com/article/CTX232266, but it doesn't include the relevant ciphers. For Windows, it looks like TLS 1.1 and 1.2 support was introduced in the same version, 4.2.100 (April 2015, https://support.citrix.com/article/CTX112613).

 

You can use logging from the Netscaler to report on client Receiver versions being used to log into an environment.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...