Jump to content
Welcome to our new Citrix community!

TLS 1.3 Support in 12.1 55.18 - Version/Cipher Mismatch


Recommended Posts

When NetScaler 13.0 Beta dropped about a year ago I was able to create a TLS 1.3 VIP in my lab by performing the four standard steps:

  • Enable TLS 1.3 in the SSL Profile
  • Remove the ECC Curve 224
  • Add the TLS 1.3 Ciphers to the top of the cipher order
  • Make sure my entire certificate chain is linked (Server>Inter>Root)

 

However, attempting this on 12.1 55.18 today (the version we are pushing to prod) I can't get my browser or SSL Labs to accept the configuration. Navigating to the VIP in Chrome/"New" Microsoft Edge returns "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".

 

I've Tried:

  • Making a brand new profile with only 1.3 enabled
  • Making a brand new cipher group that ONLY contains the TLS 1.3 ciphers
  • Binding the CA certificates (inter/root) to the VS as CA certs.

 

So far every combination results in SSL labs saying that all browsers that support 1.3 completely fail, with the rest  successfully negotiating via 1.2 (unless I ONLY allow 1.3, then everything fails).

 

We are currently doing a major version upgrade from 11.1 to 12.1, and have already dropped support for <1.2 in our environment globally and would like to start adding support for 1.3. Is anyone out there on this build and working? When I search the forums there were a couple of references to TLS 1.3 breaking for them recently with no answer/fix.

 

I also am unaware of any easy logs/troubleshooting steps in my browser without going full packet capture to see why exactly it thinks its failing.

 

I am on a SDX powered VPX.

 

Seemingly related:

https://discussions.citrix.com/topic/399312-tls-13-support/ 

Link to comment
Share on other sites

I have an answer, I hope this helps others.

 

"TLSv1.3 is only supported with the enhanced profile. To enable the enhanced profile, see Enable the enhanced profile."

 

Stated in this article:
https://docs.citrix.com/en-us/citrix-adc/13/ssl/tls13-protocol-support.html

How to enable enhanced profiles:
https://docs.citrix.com/en-us/citrix-adc/13/ssl/ssl-profiles/ssl-enabling-the-default-profile.html#enable-the-default-profile

 

I have not yet enabled enhanced profiles yet, but was able to get this to work by removing the SSL profile and manually entering the desired settings at the VIP level.

 

My next step will be to enable enhanced profiles and try again, after I do a bit more reading to understand the conversion impact.

  • Like 2
Link to comment
Share on other sites

What exactly are Enhanced SSL Profiles?

Here is the way I am interpreting this - NetScaler until very recently operated in what is now called "legacy SSL Profile" mode. In this mode, SSL settings like what protocols you wanted to enable and what cipher suites you wanted to use could be configured at the Virtual Server level. If you were a bit of a power user with more than just a handful of Virtual Servers, you could create profiles so that you could manage your settings centrally without having to configure each Virtual Server individually.

 

Then Citrix decided that its sort of silly to make SSL profiles optional, since most people want the functionality of profiles but may not know they should use them (same configuration across a large group of Virtual Servers that can be applied everywhere with a single change). The article seems to indicate the reason behind this change in mindset is that ciphers and protocols are being deprecated at a faster rate so forcing everyone to use profiles takes some of the overhead out of staying up to date.

 

Quote

Vulnerabilities in SSLv3 and RC4 implementation have emphasized the need to use the latest ciphers and protocols to negotiate the security settings for a network connection. Implementing any changes to the configuration, such as disabling SSLv3 across thousands of SSL end points, is a cumbersome process. Therefore, settings that were part of the SSL end points configuration have been moved to the SSL profiles, along with the default ciphers. To implement changes in the configuration, including cipher support, you need only modify the profile that is bound to the entities.

 

So, in this new world once you enable the default profile I expect that you can no longer configure per-VIP SSL Settings without making a custom SSL-Profile. It makes sense, and should probably be the default setting for new NetScaler builds. I personally only operate with 3 profiles at the moment. A "Modern/Strict profile, a more "Relaxed" profile for those legacy apps you just cant get rid of - and one for when I need SNI.

 

The part I am trying to work out now is how to get there.

 

Implementation:

If I am reading the documentation correctly, it states that the moment I enable the default profile all of my Virtual Servers that currently have an SSL Profile bound, will lose that binding and the default settings will take place. In my case, every SSL Virtual Server I have has a profile... not cool.

 

Quote

The following command enables the default profile and binds this profile to the SSL entities to which a profile is already bound. That is, if a profile (for example P1) is already bound to an SSL entity, P1 is replaced by the default front-end profile or the default back-end profile. The older profile (P1) is not deleted. It is now an enhanced SSL profile and contains the earlier settings, and the ciphers and ECC curves. If you do not want the default profile, you can explicitly bind P1 to the SSL entity.

...

If a legacy profile (P1) is already bound to an SSL entity, and you enable the default profile, the default profile overrides the earlier binding. That is, the default profile is bound to the SSL entities. If you do not want the default profile to be bound, you must bind P1 to the SSL entity again.

 

Going by the statement above, cutting over to this new style while desired (mainly for TLS 1.3 support) doesn't seem like its going to be a small feat. I am going to do some testing on what my procedure for this would be in the lab and circle back to this thread in the next few days.

 

If the way I am interpreting this is correct, it seems I will most likely need to configure my default profile to be very lax with the most amount of protocol support, enable the profile, then go back and apply custom profiles to all my virtual servers again with my desired configuration - just to reduce production impact for the cutover.

 

From: https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ssl-profiles/ssl-enabling-the-default-profile.html 

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...