Jump to content
Welcome to our new Citrix community!

NetScaler TLS and RSA, and AES_256_CBC with HMAC-SHA1 "connection obsolete" error


Recommended Posts

Hi everyone,

 

I'm running the latest NetScaler VPX with legit SSL certificate and has been running that setup for the past, well almost a decade. 

 

Suddenly Chrome is now reporting the following issue when one goes into developer mode and then "security" section:

Connection - obsolete connection settings



The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_CBC with HMAC-SHA1.



RSA key exchange is obsolete. Enable an ECDHE-based cipher suite.

AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.

 

Here's a screen shot. Is this of concern? How would you solve this by changing what settings in VPX?

 

Thank you

 

 

 

vpx.png

Link to comment
Share on other sites

When you look at the lb vserver or vpn vserver parameters, you can adjust SSL settings via SSL Parameters (ssl properties on the vserver) or via SSL Profiles. The profiles are the preferred way to do this and more flexible, allowing you to define settings in one profile and link them to multiple vservers.  If a conflict, the profile overrides the parameters if both are present.

 

0) First determine if your current vserver is using parameters or profiles to set the settings. Choose a method and stick with it.  Not all settings are controlled via parameter/profile. But I will use the phrase SSL Profile to simplify the reference below.

 

1) Adjust SSL/TLS Protocols:  In the SSL parameters or SSL Profile, enable/disable necessary protocols:  SSL v2/SSL v3, TLS 1.0 should be disabled; TLS 1.1/1.2 may be on by default, but TLS 1.3 may be off on vpx.  Adjust either as appropriate.

 

2) The vserver is likely using the "DEFAULT" cipher group automatically.  Under Traffic Management > SSL > Cipher Groups you can create a custom strong security cipher group with just the groups you require.  The default group list may be including ciphers that the latest security is seeing as less ideal.  Also, the order the ciphers are specified matters.  Create the custom group to meet your security requirements and then bind the cipher group to the lb/vpn vserver under the Cipher Groups section (this is not covered by the SSL parameters/SSL Profile).  I think adjusting this list will take care of your RSA/ECDH messages above.  (Examples in references below.)

 

 

 

References:

Citrix 13.0 Admin Guide on ssl profile / ssl settings:  https://docs.citrix.com/en-us/citrix-adc/13/ssl/ssl-profiles/ssl-enabling-the-default-profile.html

 

Also for reference:
2018 version of A+ rating (so admittedly dated, but may give you some settings to consider):  https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/

2019 reference which should be newer:  https://www.thomaspreischl.de/citrix-adc-ssl-settings/

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...