Avinish Pathak1709161001 Posted November 27, 2019 Share Posted November 27, 2019 vulnerability scan on netscalers into our environment suggested to disbale tls1.0, 1.1 . we have alredy dsbaled sslv2, sslv3. we are planning only to keep tls1.2 on all netscaler managment servcies. i just want to make sure if it is recommended thing or not. secondly if i am keeping only tls1.2 , enalbled on netscaler maangment intefaces, do i need to check other things like communication our monitoring tool and NMAS . will ti be affectiong on VIPS which have tls1.1, tls1.0 enabled. Link to comment Share on other sites More sharing options...
Johannes Norz Posted November 28, 2019 Share Posted November 28, 2019 It's recommended. Just turn off TLS 1.0 and 1.1. However you may loose some customers (XP, Vista, ols iPhones, old Android devices ...) Cheers Johannes Norz @Citrix_ADC visit my blog Link to comment Share on other sites More sharing options...
Gregor Blaj Posted December 3, 2019 Share Posted December 3, 2019 You should be disabling TLS 1.0 and TLS 1.1 everywhere but it is [arguably] more critical on externally accessible resources, so start there. In MAS/ADM you can easily modify SSL settings, see https://docs.citrix.com/en-us/netscaler-mas/12/manage-system-settings/how-to-configure-ssl-settings-for-mas.html. Once the protocols are sorted out, you will also need to remove insecure ciphers. The TLS 1.2/TLS 1.3 ciphers below were adequate for an A+ rating in October 2019 but as Johannes mentioned, certain older clients will not be able to connect. You can get all this info if you do a scan of your sites with SSL Labs (https://www.ssllabs.com/ssltest/). Quote TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 TLS1.2-ECDHE-ECDSA-AES128-SHA256 TLS1.2-ECDHE-ECDSA-AES256-SHA384 TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 TLS1.3-AES256-GCM-SHA384 TLS1.3-CHACHA20-POLY1305-SHA256 TLS1.3-AES128-GCM-SHA256 Link to comment Share on other sites More sharing options...
Johannes Norz Posted December 4, 2019 Share Posted December 4, 2019 On 12/3/2019 at 12:13 AM, Gregor Blaj said: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 TLS1.2-ECDHE-ECDSA-AES128-SHA256 TLS1.2-ECDHE-ECDSA-AES256-SHA384 TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 TLS1.3-AES256-GCM-SHA384 TLS1.3-CHACHA20-POLY1305-SHA256 TLS1.3-AES128-GCM-SHA256 the order is not perfect. TLS 1.3 should be on top, as they may get processed top down. I'd use this POLY CHACHA on top, always the 256 first, the 128 on 2nd. Just a suggestion. I would rather go with this: TLS1.3-CHACHA20-POLY1305-SHA256 TLS1.3-AES256-GCM-SHA384 TLS1.3-AES128-GCM-SHA256 TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 TLS1.2-ECDHE-ECDSA-AES256-SHA384 TLS1.2-ECDHE-ECDSA-AES128-SHA256 TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Link to comment Share on other sites More sharing options...
Avinish Pathak1709161001 Posted December 4, 2019 Author Share Posted December 4, 2019 Thank you Johannes for your reply, so you are saying, after disabling tls1.0 an tls1.1 on services, i have also to remove the related ciphers from fform the cipher list. Isn't it get auto disabled and will not be used once i haave disabaled the protocol tls1.0 an tls1.1. Link to comment Share on other sites More sharing options...
Johannes Norz Posted December 4, 2019 Share Posted December 4, 2019 No. They simply are not used. But don't use too many ciphers, ciphers may be buggy, the more you're using, the more likely one of them is buggy. The only thing you have to do is bringing ciphers into a proper order: the stronger they are the more up they have to be. You have to distinguish between a gateway or company owned ressource, only available to employees and a public website. I don't want to not sell anything to customers, just to be extra secure. But I want to get the maximum security I can for employees Link to comment Share on other sites More sharing options...
Chris Marreel Posted January 4, 2020 Share Posted January 4, 2020 Hi All, a quick question related to this topic. If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers. Do you have an idea which older Receiver versions will have issues ? Is this known or listed somewhere ? I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5. I noticed SSLLABS is making it harded to score an A+ rating from january 2020. If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020." Thanks for you thoughts, Greetings, Chris Link to comment Share on other sites More sharing options...
Gregor Blaj Posted January 5, 2020 Share Posted January 5, 2020 16 hours ago, Chris Marreel said: Hi All, a quick question related to this topic. If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers. Do you have an idea which older Receiver versions will have issues ? Is this known or listed somewhere ? I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5. I noticed SSLLABS is making it harded to score an A+ rating from january 2020. If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020." Thanks for you thoughts, Greetings, Chris The following article shows when TLS support was introduced for each Receiver version, https://support.citrix.com/article/CTX232266, but it doesn't include the relevant ciphers. For Windows, it looks like TLS 1.1 and 1.2 support was introduced in the same version, 4.2.100 (April 2015, https://support.citrix.com/article/CTX112613). You can use logging from the Netscaler to report on client Receiver versions being used to log into an environment. Link to comment Share on other sites More sharing options...
Chris Marreel Posted January 6, 2020 Share Posted January 6, 2020 Hi Warnox, Thanks for pointing me in the right direction. As far as I understand Citrix Receiver already works a long time via TLS 1.2, so it is seems to be a good decision to disable TLS 1.0 and 1.1 on the Virtual Server running the Gateway. Thanks and greetings, Chris Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now