Legacy SSL profile
Note:
Citrix recommends using the enhanced profiles instead of legacy profiles. For information about the enhanced profile infrastructure, see SSL profile infrastructure.
Important:
You must bind an SSL profile to an SSL virtual server. Do not bind a DTLS profile to an SSL virtual server. For information about DTLS profiles, see DTLS Profiles.
You can use an SSL profile to specify how a Citrix ADC processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters. You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
- Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.
- Backend profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.
Unlike a TCP or HTTP profile, an SSL profile is optional. Therefore, there is no default SSL profile. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.
The following table lists the parameters that are part of each profile.
Front end profile | Backend profile |
---|---|
cipherRedirect, cipherURL | denySSLReneg |
clearTextPort* | encryptTriggerPktCount |
clientAuth, clientCert | nonFipsCiphers |
denySSLReneg | pushEncTrigger |
dh, dhFile, dhCount | pushEncTriggerTimeout |
dropReqWithNoHostHeader | pushFlag |
encryptTriggerPktCount | quantumSize |
eRSA, eRSACount | serverAuth |
insertionEncoding | commonName |
nonFipsCiphers | sessReuse, sessTimeout |
pushEncTrigger | SNIEnable |
pushEncTriggerTimeout | ssl3 |
pushFlag | sslTriggerTimeout |
quantumSize | strictCAChecks |
redirectPortRewrite | tls1 |
sendCloseNotify | - |
sessReuse, sessTimeout | - |
SNIEnable | - |
ssl3 | - |
sslRedirect | - |
sslTriggerTimeout | - |
strictCAChecks | - |
tls1, tls11, tls12 | - |
* The clearTextPort parameter applies only to an SSL virtual server.
An error message appears if you try to set a parameter that is not part of the profile (for example, if you try to set the clientAuth parameter in a backend profile).
Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and UndefAction Data, are not part of any of the above profiles, because these parameters are independent of entities.
An SSL profile supports the following operations:
- Add—Creates an SSL profile on the Citrix ADC. Specify whether the profile is front end or backend. Front end is the default.
- Set—Modifies the settings of an existing profile.
- Unset—Sets the specified parameters to their default values. If you do not specify any parameters, an error message appears. If you unset a profile on an entity, the profile is unbound from the entity.
- Remove—Deletes a profile. A profile that is being used by any entity cannot be deleted. Clearing the configuration deletes all the entities. As a result, the profiles are also deleted.
- Show—Displays all the profiles that are available on the Citrix ADC . If a profile name is specified, the details of that profile are displayed. If an entity is specified, the profiles associated with that entity are displayed.
Create an SSL profile by using the CLI
- To add an SSL profile, type:
add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )]
<!--NeedCopy-->
- To modify an existing profile, type:
set ssl profile <name>
<!--NeedCopy-->
- To unset an existing profile, type:
unset ssl profile <name> [-dh] [-dhFile] [-dhCount] [-eRSA]…
<!--NeedCopy-->
- To unset an existing profile from an entity, type:
unset ssl vserver <vServerName> –sslProfile
<!--NeedCopy-->
- To remove an existing profile, type:
rm ssl profile <name>
<!--NeedCopy-->
- To display an existing profile, type:
sh ssl profile <name>
<!--NeedCopy-->
Create an SSL profile by using the GUI
Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile.
Enable stricter control on client certificate validation
The Citrix ADC appliance accepts valid Intermediate-CA certificates if they are issued by a single Root-CA. That is, if only the Root-CA certificate is bound to the virtual server, and any intermediate certificate sent with the client certificate is validated by that Root-CA, the appliance trusts the certificate chain and the handshake is successful.
However, if a client sends a chain of certificates in the handshake, none of the intermediate certificates can be validated by using a CRL or OCSP responder unless that certificate is bound to the SSL virtual server. Therefore, even if one of the intermediate certificates is revoked, the handshake is successful. As part of the handshake, the SSL virtual server sends the list of CA certificates that are bound to it. For stricter control, you can configure the SSL virtual server to accept only a certificate that is signed by one of the CA certificates bound to that virtual server. To do so, you must enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server. The handshake fails if the client certificate is not signed by one of the CA certificates bound to the virtual server.
For example, say two client certificates, clientcert1 and clientcert2, are signed by the intermediate certificates Int-CA-A and Int-CA-B, respectively. The intermediate certificates are signed by the root certificate Root-CA. Int-CA-A and Root-CA are bound to the SSL virtual server. In the default case (ClientAuthUseBoundCAChain disabled), both clientcert1 and clientcert2 are accepted. However, if ClientAuthUseBoundCAChain is enabled, only clientcert1 is accepted by the Citrix ADC appliance
Enable stricter control on client certificate validation by using the CLI
At the command prompt, type: set ssl profile <name> -ClientAuthUseBoundCAChain Enabled
Enable stricter control on client certificate validation by using the GUI
- Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile, or select an existing profile.
- Select Enable Client Authentication using bound CA Chain.