Jump to content
Welcome to our new Citrix community!

Updating Netscaler VPX "internal services" SSL/TLS versions to TLS 1.2 only and cipher update


Josh Slaney

Recommended Posts

By default the internal SSL services running on the Netscaler have SSLv3, TLS 1, TLS 1.1, and TLS 1.2 enabled.   These internal services are used for secure RPC, Web access, and other "internal services" and use protocols like SSL, SSL_TCP, RPCSVRS, and SIP_SSL.    I've gone through each internal service and disabled SSLv3, TLS 1, and TLS 1.1.

 

set ssl service nskrpcs-(SNIPADDRESS)-3009 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nshttps-(SNIPADDRESS)-443 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nsrpcs-(SNIPADDRESS)-3008 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nshttps-(SNIPADDRESS)-443 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nsrpcs-(SNIPADDRESS)-3008 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nsrnatsip-127.0.0.1-5061 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nshttps-::1l-443 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nsrpcs-::1l-3008 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nshttps-127.0.0.1-443 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl service nsrpcs-127.0.0.1-3008 -eRSA ENABLED -sessReuse DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED

 

Is this standard procedure for hardening these internal services?  Is there anything I've done that is not recommended or that I need to be careful with?  I am also going to update the ciphers on each of these services as well with a custom list from this document. https://docs.citrix.com/en-us/citrix-adc-secure-deployment.html  published on 8/24/21

 

Citrix ADC recommended cipher suites:


The following ciphers supported by Citrix ADC do not include any components on the “mandatory discard” list. These ciphers are organized by key-exchange (RSA, DHE, and ECDHE) then by placing the higher performing ones at the top with the higher security ones at the bottom:
Recommend RSA Key Exchange Cipher suites:
• TLS1-AES-128-CBC-SHA
• TLS1-AES-256-CBC-SHA
• TLS1.2-AES-128-SHA256
• TLS1.2-AES-256-SHA256
• TLS1.2-AES128-GCM-SHA256
• TLS1.2-AES256-GCM-SHA384
Recommend DHE Key Exchange Cipher suites:
• TLS1-DHE-RSA-AES-128-CBC-SHA
• TLS1-DHE-RSA-AES-256-CBC-SHA
• TLS1.2-DHE-RSA-AES-128-SHA256
• TLS1.2-DHE-RSA-AES-256-SHA256
• TLS1.2-DHE-RSA-AES128-GCM-SHA256
• TLS1.2-DHE-RSA-AES256-GCM-SHA384
Recommend ECDHE Key Exchange Cipher suites:
• TLS1-ECDHE-RSA-AES128-SHA
• TLS1-ECDHE-RSA-AES256-SHA
• TLS1.2-ECDHE-RSA-AES-128-SHA256
• TLS1.2-ECDHE-RSA-AES-256-SHA384
• TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
• TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
Recommend Cipher suites in the order of preference:
The following list of ciphers includes RSA, DHE, and ECDHE key exchanges. It provides the best compromise between security, performance, and compatibility.
1. TLS1.2-AES128-GCM-SHA256
2. TLS1.2-AES-128-SHA256
3. TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
4. TLS1.2-ECDHE-RSA-AES-128-SHA256
5. TLS1-ECDHE-RSA-AES128-SHA
6. TLS1.2-DHE-RSA-AES128-GCM-SHA256
7. TLS1.2-DHE-RSA-AES-128-SHA256
8. TLS1-DHE-RSA-AES-128-CBC-SHA
9. TLS1-AES-128-CBC-SHA

 

 

Link to comment
Share on other sites

If you enable the "default SSL profile", then you can modify the default SSL Profile and it should apply to the Internal Services.

 

Here's another list - https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/ . Typically the ECHDE GCM ciphers are prioritized over the others. Security people say to remove all non-GCM ciphers.

 

ADC has a built-in "Secure" cipher group.

Link to comment
Share on other sites

  • 2 weeks later...
On 8/26/2021 at 4:51 AM, Carl Stalhood1709151912 said:

If you enable the "default SSL profile", then you can modify the default SSL Profile and it should apply to the Internal Services.

 

Here's another list - https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/ . Typically the ECHDE GCM ciphers are prioritized over the others. Security people say to remove all non-GCM ciphers.

 

ADC has a built-in "Secure" cipher group.

Thanks for the response Carl.   Enabling the default profile is somewhat a scary proposition on my end.  I found this:

"Important After upgrading the software, if you enable the profile, you cannot reverse the changes. That is, the profile cannot be disabled. Therefore, the only way to reverse the change is to reboot using the old configuration. Note A single operation (Enable Default Profile or set ssl parameter -defaultProfile ENABLED) enables (binds) both the default front-end profile and the default back-end profile."

My concern is avoiding SSL related errors with my existing applications on the frontend/backend connections.  If those default profiles break something, there is no quick way to backout.  Does the default profile bind the front-end profile to those internal services? 

My long term goal was to create a separate SSL profile to apply to my VIP's that have common settings and modify that moving forward without enabling the default profiles.   

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...