Jump to content
Welcome to our new Citrix community!

ECDSA Cipher suites not being used


Roy Smith

Recommended Posts

Hi

 

We have configured the following cipher suites as part of steps to secure our published sites. 

 

TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305
TLS1.2-ECDHE-RSA-CHACHA20-POLY1305

 

What I've noticed is that if we do test using ssllabs.com/ssltest, the ECDSA based ciphers do not seem to be used. Only the RSA ciphers are used. Does anyone know why these would not be used?

 

We are running NS13.0 84.11.nc

 

Many thanks

Roy

 

image.thumb.png.7dbc6d3b92a6babcad6056c07218459d.png

 

 

Link to comment
Share on other sites

^ What Carl said.

For your chosen Cipher Group which contains both RSA and ECC ciphers, you'll need both ECC and RSA certs bound to your Virtual Server.

In the NetScaler, you'll need to use the Create ECDSA Key button to generate a new key.  Generate a CSR from that key and submit it to your cert vendor, specifically requesting an ECC cert.  When you get the ECC cert back from them, bind it to the VS alongside your existing RSA cert.  (Don't bind it as an SNI cert; your version of NetScaler will allow you to bind them both as "normal" certs without one replacing the other.)

 

I've done this for two production sites and works well.  The only catch is that if you want to add ECC certs to all your sites, you've basically doubled your certificate work as you probably need to retain all your RSA certs in case some of your clients need them.  Over the next month/year, you could use Citrix ADM to see what sites still require the RSA certs and shed them for sites that don't.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...