Jump to content
Welcome to our new Citrix community!

TLS ECDHE ciphers and backend servers?

Recommended Posts

I have just recently upgraded a VPX from 12.0 pre 56.0 to 12.1. I have a SSL servicegroup and would expect to see Netscaler present ECDHE ciphers in Client Hello to backend but it does not. The servicegroup is using the DEFAULT_BACKEND cipherlist and the ECDHE ciphers are in the list. It makes no difference if I create a custom cipherlist and use that. 

Specifically I want to be able to use the cipher TLS1.2-ECDHE-RSA-AES256-GCM-SHA384. 

Link to comment
Share on other sites

On 5/19/2020 at 5:58 PM, Marion Bauer1709159214 said:

Just an idea, but maybe TLS1.2 is not even enabled on the serviceGroup?

Cause the cipherGroup DEFAULT_BACKEND change with the releases but the setting if eg TLS1.2 is enabled or disabled stays the same. 


Best Regards,


Thank you for your suggestion. The problem turned out to be that ECC curves were not bound to the SSL servicegroup. As far as I can tell there is no documentation that states that ECC curves should be bound to servicegroups to be able to use ECDHE ciphers against backend services. All the documentation I could find regarding use of ECDHE ciphers notes explicitly that ECC curves can only be bound to front-end entities so it never crossed my mind to check for that on the servicegoup.


If I create a new SSL servicegoup today on 12.1 then ECC curves are bound automatically. I suspect my problem was that the servicegroup was created on a release where ECDHE was not supported on backend services and the upgrade did not update the servicegroup configuration. That would be fine if this was documented in the release notes or the updated documentation but I have not been able to find anything about this problem.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...