ECDHE ciphers
All Citrix ADC appliances support the ECDHE cipher group on the front end and the back end. On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies.
For more information about the builds and platforms that support these ciphers, see Ciphers available on the Citrix ADC appliances.
ECDHE cipher suites use elliptical curve cryptography (ECC). Because of its smaller key size, ECC is especially useful in a mobile (wireless) environment or an interactive voice response environment, where every millisecond is important. Smaller key sizes save power, memory, bandwidth, and computational cost.
A Citrix ADC appliance supports the following ECC curves:
- P_256
- P_384
- P_224
- P_521
Note: If you upgrade from a build earlier than release 10.1 build 121.10, you must explicitly bind ECC curves to your existing SSL virtual servers and services. The curves are bound by default to any virtual servers and services that you create after the upgrade.
You can bind an ECC curve to SSL front end and back end entities. By default all four curves are bound, in the following order: P_256, P_384,P_224,P_521. To change the order, you must first unbind all the curves, and then bind them in the desired order.
Bind ECC curves to an SSL virtual server by using the CLI
At the command prompt, type:
bind ssl vserver <vServerName > -eccCurveName <eccCurveName >
Example:
bind ssl vserver v1 -eccCurveName P_224
sh ssl vserver v1
Advanced SSL configuration for VServer v1:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
ECC Curve: P_224
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
<!--NeedCopy-->
Bind ECC curves to an SSL virtual server by using the GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers.
- Select an SSL virtual server and click Edit.
- In Advanced Settings, click ECC Curve.
- Click inside the ECC curve section.
- In the SSL Virtual Server ECC Curve Binding page, click Add Binding.
- In ECC Curve Binding, click Select ECC Curve.
- Select a value, and then click Select.
- Click Bind.
- Click Close.
- Click Done.
Bind ECC curves to an SSL service by using the CLI
At the command prompt, type:
bind ssl service <vServerName > -eccCurveName <eccCurveName >
Example:
> bind ssl service sslsvc -eccCurveName P_224
Done
> sh ssl service sslsvc
Advanced SSL configuration for Back-end SSL Service sslsvc:
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: DISABLED
Session Reuse: ENABLED Timeout: 300 seconds
Cipher Redirect: DISABLED
ClearText Port: 0
Server Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: DISABLED
OCSP Stapling: DISABLED
SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Zero RTT Early Data: ???
DHE Key Exchange With PSK: ???
Tickets Per Authentication Context: ???
ECC Curve: P_224
1) Cipher Name: DEFAULT_BACKEND
Description: Default cipher list for Backend SSL session
Done
<!--NeedCopy-->
Bind ECC curves to an SSL service by using the GUI
- Navigate to Traffic Management > Load Balancing > Services.
- Select an SSL service and click Edit.
- In Advanced Settings, click ECC Curve.
- Click inside the ECC curve section.
- In the SSL Service ECC Curve Binding page, click Add Binding.
- In ECC Curve Binding, click Select ECC Curve.
- Select a value, and then click Select.
- Click Bind.
- Click Close.
- Click Done.