SSL policies

Policies on the Citrix ADC appliance help identify specific connections that you want to process. The processing is based on the actions that are configured for that particular policy. Once you create the policy and configure an action for it, you must do one of the following:

  • Bind the policy to a virtual server on the appliance, so that it applies only to traffic flowing through that virtual server.
  • Bind the policy globally, so that it applies to all traffic flowing through any virtual server configured on the Citrix ADC appliance.

The Citrix ADC appliance SSL feature supports default syntax (advanced) policies. For a complete description of default syntax expressions, how they work, and how to configure them manually, see Policies and Expressions.

Note:

Users who are not experienced in configuring policies at the CLI usually find using the configuration utility considerably easier.

SSL policies require that you create an action before creating a policy, so that you can specify the actions when you create the policies. In SSL default syntax policies, you can also use the built-in actions. For more information about built-in actions, see SSL built-in actions and user-defined actions.

SSL default syntax policies

An SSL default syntax policy, also known as an advanced policy, defines a control or a data action to be performed on requests. SSL policies can therefore be categorized as control policies and data policies:

  • Control policy. A control policy uses a control action, such as forcing client authentication. Note: In release 10.5 or later, deny SSL renegotiation (denySSLReneg) is set, by default, to ALL. However, control policies, such as CLIENTAUTH, trigger a renegotiation handshake. If you use such policies, you must set denySSLReneg to NO.
  • Data policy. A data policy uses a data action, such as inserting some data into the request.

The essential components of a policy are an expression and an action. The expression identifies the requests on which the action is to be performed.

You can configure a default syntax policy with a built-in action or a user-defined action. You can configure a policy with a built-in action without creating a separate action. However, to configure a policy with a user-defined action, first configure the action and then configure the policy.

You can specify an extra action, called an UNDEF action, to be performed when applying the expression to a request has an undefined result.

SSL policy configuration

You can configure an SSL default syntax policy by using the CLI and the GUI.

Configure an SSL policy by using the CLI

At the command prompt, type:

add ssl policy <name> -rule <expression> -Action <string> [-undefAction <string>] [-comment <string>]
<!--NeedCopy-->

Configure an SSL policy by using the GUI

Navigate to Traffic Management > SSL > Policies and, on the Polices tab, click Add.

Support for SSL policies with TLS1.3 protocol

From release 13.0 build 71.x and later, support is added for SSL policies with the TLS1.3 protocol. When the TLSv1.3 protocol is negotiated for a connection, policy rules that inspect TLS data received from the client now trigger the configured action.

For example, if the following policy rule returns true, the traffic is forwarded to the virtual server defined in the action.

add ssl action action1 -forward vserver2
add ssl policy pol1 -rule client.ssl.client_hello.sni.contains(“xyz”) -action action1
<!--NeedCopy-->

Limitations

  • Control policies are not supported.
  • The following actions are not supported:
    • DOCLIENTAUTH
    • NOCLIENTAUTH
    • caCertGrpName
    • clientCertVerification
    • ssllogProfile
SSL policies