Jump to content
Welcome to our new Citrix community!

TLS 1.3 is not working if enabled through SSL profile


Recommended Posts

Hello, 

 

I would like to know if the following article is still valid as there is no trace of this problem in the additional resource linked to it.
https://support.citrix.com/article/CTX259045/citrix-adc-tls-13-is-not-working-if-enabled-through-ssl-profile


If still valid, I ask if when the command ‘setssl parameter -defaultProfile E‘ is executed, the Enhanced SSL profile settings will override the existing SSL profile settings bound on the Vserver as well as on the Vservice.

And if the only way to undo this change is a reboot before saving the configuration.

Thank you in advance

Link to comment
Share on other sites

Here is a snippet from the latest Workspace App Tech Preview.

 

Connections using the NetScaler Gateway Service attempts to use TLS 1.3. However, these connections fallbacks to TLS 1.2 because NetScaler Gateway (Service and on-premises) doesn’t support TLS 1.3 yet.

 

So that covers it, even with 13.1 there is no TLS 1.3 support for Citrix Gateway yet.  1.2 only.

Link to comment
Share on other sites

  • 1 month later...
On 5/22/2023 at 11:19 AM, gmolito829 said:

Hello, 

 

I would like to know if the following article is still valid as there is no trace of this problem in the additional resource linked to it.
https://support.citrix.com/article/CTX259045/citrix-adc-tls-13-is-not-working-if-enabled-through-ssl-profile


If still valid, I ask if when the command ‘setssl parameter -defaultProfile E‘ is executed, the Enhanced SSL profile settings will override the existing SSL profile settings bound on the Vserver as well as on the Vservice.

And if the only way to undo this change is a reboot before saving the configuration.

Thank you in advance

Yes when you enable the default profile you have dont have a change to disable it again except rebooting with a unsaved config or by modifying ns.conf before.

 

You need to review all SSL settings and configure all your ssl settings again by binding suitable SSL profiles. Better prepare that before and write down how many profiles you need and which settings they have to contain. Also you have to bind the ciphers to these profiles then! You can  prepare the profiles before enabling the default profile setting BUT you can*t bind the ciphers before enabling the default profile. Anoying I know. I learnt that the hard way in a huge environment. At first nearly nothing worked anymore. Since then I write down which CLI commands are needed before I change a device and prepare that as a batch config which will be executed directly after switching the default profile on.

 

If you have finally switched to the profiles it will make life a lot easier! Somebody decides cipher xy needs to be removed globally? You want to switch to TLS13 only? Hey change the profile and all vServer are modified with one simple setting! To get there it needs some well prepared work.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...