Jump to content
Welcome to our new Citrix community!

After disabling TLS 1.1, Qualsys still reports it is enabled


Recommended Posts

If you look at the 3rd screenshot it tells you which ciphers are being considered as TLS1.1. If you look at https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1511 and search for TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (one of the ones listed in the 3rd screenshot) it shows that it supports 1.0 - 1.2. I have a feeling that TLS1.2-ECDHE-RSA-AES-256-SHA384, TLS1.2-ECDHE-RSA-AES-128-SHA256, TLS1.2-DHE-RSA-AES-GCM-SHA384, and TLS1.2-DHE-RSA-AES128-GCM-SHA256 are the ones that support lower versions of TLS than 1.2. Try removing them and then running the scan again.

Link to comment
Share on other sites

Ah ha!  This Netscaler is behind a WatchGuard XTM with a HTTPS packet filter (not to be confused with a HTTPS proxy which the XTM also supports).  We have Geoblocking and IPS enabled on the NAT policy.  Once I disabled both Geoblocking and IPS on the incoming HTTPS policy, TLS 1.1 disappeared from the test results.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...