SSL LABS

How to get the best score (A+) on SSLLABS.COM with NetScaler 11 VPX. 

By default, NetScaler scores C on SSLLABS.com but in less than 15 minutes it is possible to score a superb A+. How? Simply by changing SSL, PFS (Perfect Forward Secrecy), Cipher and Strict Transport Security settings.

NetScaler OS

This post has been created with NetScaler Build NS11.0 62.10.nc – VPX.

TLS_FALLBACK_SCSV is supported.

TLSv1.1 and TLSv1.2 are also supported.

Certificates

Make sure that the chain of certificates is properly imported and linked on the NetScalers and that your certificates are using the SHA2 signature algorithm (256bits).

I recommend to use namecheap.com. They offer SSL Certificate (SHA2-256bits) for only 11 bucks.

Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.

Do not use HTTP

You can create either a vServer only available in HTTPS (443) or create a redirection from HTTP to HTTPS.

Responder method: http://support.citrix.com/article/CTX120664.

See Enable HSTS/STS part of this post to enforce HTTPS as the only method that the browser may use for accessing the site.

Configure Diffie-Hellman key (Perfect Forward Secrecy)

The server does not support Forward Secrecy with the reference browsers.

Navigate to Traffic Management > Load Balancing > SSL.

Go To Tools > Create Diffie-Hellman (DH) key.

DH
DH
  • Path: /nsconfig/ssl/dhkey2048.key
  • Size: 2048
  • DH Generator: 2
Configure DH
Configure DH

Navigate to NetScaler Gateway > Virtual Servers.

Edit your vServer and go to SSL Parameters. Check Enable DH Param.

Browse to the previously created DH Key.

Configure SSL
Configure SSL

Configure  Diffie-Hellman (DH) key in command line

Disable SSL3

To avoid POODLE Attacks.
http://support.citrix.com/article/CTX200238

At the same time and on the same screen SSL Parameters, make sure that SSLv2 and SSLv3 are unchecked.

This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

Enable TLSv1, TLSv1.1 and TLSv1.2

At the same time and on the same screen SSL Parameters, make sure that TLSv1, TLSv11 and TLSv12 are checked.

Reconfigure SSL Ciphers

Cipher is an algorithm for performing encryption or decryption. A cipher suite is a set of cryptographic algorithms. You can chain ciphers in a cipher suite.

By default, Netscaler uses RC4. Grade capped to C on SSLLABS.COM.

To fix this issue, we need to create a custom Cipher group in the NetScaler configuration.

Navigate to Traffic Management > SSL > Cipher Groups.

Select Add.

  • Name:CitrixGuruCipher
Cipher01
new CipherGroup

The full list of Ciphers is documented on Carl Webster website.

Then navigate to NetScaler Gateway > Virtual Servers.

Under SSL Ciphers, Select CitrixGuruCipher previously created.

Bind Cipher group
Bind Cipher group

You will see the popup below but it is normal. Just select OK.

Select OK
Select OK
Cipher group mapped
Cipher group mapped

CipherGroup creation in command line:

Binding CipherGroup in command line:

ECDHE support in command line:

Enable HSTS/STS

To achieve the A+ score, you need to enable HSTS/STS with a Rewrite policy.

Navigate to AppExpert > Rewrite > Rewrite Actions.

Create new Rewrite action:

Name: rw_action_sts_header

Type: INSERT_HTTP_HEADER

Header Name: Strict-Transport-Security

Expression: “max-age=157680000”

Create rewrite action
Create rewrite action

157680000 = 5 years, expressed as seconds.

Rewrite action is created.

RW Action created
RW Action created

Navigate to AppExpert > Rewrite > Rewrite Policies.

Create new Rewrite Policy:

  • Name: rw_pol_sts_config
  • Action: rw_action_sts_header
  • Expression: true
new rewrite policy
new rewrite policy

Rewrite policy is created

RW policy created
RW policy created

Navigate to NetScaler Gateway > Virtual Servers.

Edit your vServer and go to SSL Policy.

Add SSL Policy
Add SSL Policy

Select Rewrite and Response.

Policy type
Policy type

In the next screen, under Policy Binding select rw_pol_sts_config.

Policy Binding
Policy Binding

See below:

Binding configured
Binding configured

Select Bind to finish the configuration.

Create rewrite action in command line:

Create rewrite policy in command line:

Bind rewrite policy to vServer in command line:

Run the test on SSLLABS.COM

Go to https://www.ssllabs.com/ssltest/ and enter the URL of your website. Then wait few minutes for the tool to do its job.

NetScaler 11 VPX A+ Score on SSLLABS.COM
NetScaler 11 VPX A+ Score on SSLLABS.COM

As expected SSL2 and SSL3 are disabled.

Protocol And CypherSuites
Protocol And CypherSuites

TLS_FALLBACK_SCSV is supported. POODLE attack is not possible. HSTS is supported. RC4 is not supported.

Protocol Details
Protocol Details

As you can see, there is no excuse to not get the maximum score with the Citrix NetScaler VPX appliance running NetScaler OS 11 as the configuration only took few minutes.

Sources:

 

 



4 COMMENTS

  1. Great write up, have the same build and was confused because when adding the policy to the gateway its not a SSL Polices, its just a session policy and then you choose rewrite.

Comments are closed.