disablle tl1.0 and tls1.1 on netscaler

[Avinish Pathak1709161001]

vulnerability scan on netscalers into our environment  suggested to disbale  tls1.0, 1.1 .

we have alredy dsbaled sslv2, sslv3.

 

we are planning only to keep tls1.2 on all netscaler managment servcies.

 

i just want to make sure if it is recommended thing or not.

 

secondly if i am keeping only tls1.2 , enalbled on netscaler maangment intefaces, do i need to check other things like communication  our monitoring tool and NMAS .

will ti be affectiong on VIPS which have tls1.1, tls1.0 enabled.

[Johannes Norz]

It's recommended. Just turn off TLS 1.0 and 1.1. However you may loose some customers (XP, Vista, ols iPhones, old Android devices ...)

 

Cheers Johannes Norz

@Citrix_ADC

visit my blog

 

[Gregor Blaj]

You should be disabling TLS 1.0 and TLS 1.1 everywhere but it is [arguably] more critical on externally accessible resources, so start there.

 

In MAS/ADM you can easily modify SSL settings, see https://docs.citrix.com/en-us/netscaler-mas/12/manage-system-settings/how-to-configure-ssl-settings-for-mas.html.

 

Once the protocols are sorted out, you will also need to remove insecure ciphers. The TLS 1.2/TLS 1.3 ciphers below were adequate for an A+ rating in October 2019 but as Johannes mentioned, certain older clients will not be able to connect. You can get all this info if you do a scan of your sites with SSL Labs (https://www.ssllabs.com/ssltest/).

 

Quote

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.3-AES256-GCM-SHA384
TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES128-GCM-SHA256

 

[Johannes Norz]

On 12/3/2019 at 12:13 AM, Gregor Blaj said:

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.3-AES256-GCM-SHA384
TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES128-GCM-SHA256

 

the order is not perfect. TLS 1.3 should be on top, as they may get processed top down. I'd use this POLY CHACHA on top, always the 256 first, the 128 on 2nd. Just a suggestion.

 

I would rather go with this:

TLS1.3-CHACHA20-POLY1305-SHA256
TLS1.3-AES256-GCM-SHA384
TLS1.3-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-AES256-SHA384
TLS1.2-ECDHE-ECDSA-AES128-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

[Avinish Pathak1709161001]

Thank you Johannes for your reply, so you are saying, after disabling tls1.0 an tls1.1 on services, i have also to remove the related ciphers from fform the cipher list.

Isn't it get auto disabled and will not be used once i haave disabaled the protocol tls1.0 an tls1.1.

[Johannes Norz]

No. They simply are not used. But don't use too many ciphers, ciphers may be buggy, the more you're using, the more likely one of them is buggy.

 

The only thing you have to do is bringing ciphers into a proper order: the stronger they are the more up they have to be.

 

You have to distinguish between a gateway or company owned ressource, only available to employees and a public website. I don't want to not sell anything to customers, just to be extra secure. But I want to get the maximum security I can for employees

[Chris Marreel]

Hi All, a quick question related to this topic.

If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers.  

Do you have an idea which older Receiver versions will have issues ?

Is this known or listed somewhere ?

 

I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5.  

I noticed SSLLABS is making it harded to score an A+ rating from january 2020.  If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. 

        on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020."

 

Thanks for you thoughts,

Greetings,

  Chris

[Gregor Blaj]

16 hours ago, Chris Marreel said:

Hi All, a quick question related to this topic.

If you disable TLS 1.0 and 1.1, on the Netscaler Gateway Virtual Server, you mentioned you loose the possibility to connect from some (older) browsers and probably allso some (older) Citrix Receivers.  

Do you have an idea which older Receiver versions will have issues ?

Is this known or listed somewhere ?

 

I know e.g. that disabeling SSL 3.0 had impact on Citrix Receiver versions lower than version 4.5.  

I noticed SSLLABS is making it harded to score an A+ rating from january 2020.  If you still have TLS 1.0 and 1.1 enabled the rating will be downgraded to a B rating. 

        on the SSLLABS-test page you see at the moment -> "This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020."

 

Thanks for you thoughts,

Greetings,

  Chris

 

The following article shows when TLS support was introduced for each Receiver version, https://support.citrix.com/article/CTX232266, but it doesn't include the relevant ciphers. For Windows, it looks like TLS 1.1 and 1.2 support was introduced in the same version, 4.2.100 (April 2015, https://support.citrix.com/article/CTX112613).

 

You can use logging from the Netscaler to report on client Receiver versions being used to log into an environment.

[Chris Marreel]

Hi Warnox,

Thanks for pointing me in the right direction.  As far as I understand Citrix Receiver already works a long time via TLS 1.2, so it is seems to be a good decision to disable TLS 1.0 and 1.1 on the Virtual Server running the Gateway.

 

Thanks and greetings,

  Chris