NetScaler SDX

Configuring SSL Ciphers to Securely Access the Management Service

October 6, 2023

Contributed by:

C S

You can select SSL cipher suites from a list of SSL ciphers supported by NetScaler SDX appliances, and bind any combination of the SSL ciphers to access the SDX Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.

Limitations

Binding ciphers with key exchange = “DH” or “ECC-DHE” is not supported.
Binding the ciphers with Authentication = “DSS” is not supported.
Binding ciphers that are not part of the supported SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.

Supported SSL Ciphers

The following table lists the supported SSL ciphers.

Citrix Cipher Name	Openssl CipherName	Hex Code	Protocol	KeyExchange	Auth	MAC
TLS1-AES-256-CBC-SHA	AES256-SHA	0x0035	SSLv3	RSA	RSA	AES(256)
TLS1-AES-128-CBC-SHA	AES128-SHA	0x002F	SSLv3	RSA	RSA	AES(128)
TLS1.2-AES-256-SHA256	AES256-SHA256	0x003D	TLSv1.2	RSA	RSA	AES(256)
TLS1.2-AES-128-SHA256	AES128-SHA256	0x003C	TLSv1.2	RSA	RSA	AES(128)
TLS1.2-AES256-GCM-SHA384	AES256-GCM-SHA384	0x009D	TLSv1.2	RSA	RSA	AES-GCM(256)
TLS1.2-AES128-GCM-SHA256	AES128-GCM-SHA256	0x009C	TLSv1.2	RSA	RSA	AES-GCM(128)
TLS1-ECDHE-RSA-AES256-SHA	ECDHE-RSA-AES256-SHA	0xC014	SSLv3	ECC-DHE	RSA	AES(256)
TLS1-ECDHE-RSA-AES128-SHA	ECDHE-RSA-AES128-SHA	0xC013	SSLv3	ECC-DHE	RSA	AES(128)
TLS1.2-ECDHE-RSA-AES-256-SHA384	ECDHE-RSA-AES256-SHA384	0xC028	TLSv1.2	ECC-DHE	RSA	AES(256)
TLS1.2-ECDHE-RSA-AES-128-SHA256	ECDHE-RSA-AES128-SHA256	0xC027	TLSv1.2	ECC-DHE	RSA	AES(128)
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384	ECDHE-RSA-AES256-GCM-SHA384	0xC030	TLSv1.2	ECC-DHE	RSA	AES-GCM(256)
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256	ECDHE-RSA-AES128-GCM-SHA256	0xC02F	TLSv1.2	ECC-DHE	RSA	AES-GCM(128)
TLS1.2-DHE-RSA-AES-256-SHA256	DHE-RSA-AES256-SHA256	0x006B	TLSv1.2	DH	RSA	AES(256)
TLS1.2-DHE-RSA-AES-128-SHA256	DHE-RSA-AES128-SHA256	0x0067	TLSv1.2	DH	RSA	AES(128)
TLS1.2-DHE-RSA-AES256-GCM-SHA384	DHE-RSA-AES256-GCM-SHA384	0x009F	TLSv1.2	DH	RSA	AES-GCM(256)
TLS1.2-DHE-RSA-AES128-GCM-SHA256	DHE-RSA-AES128-GCM-SHA256	0x009E	TLSv1.2	DH	RSA	AES-GCM(128)
TLS1-DHE-RSA-AES-256-CBC-SHA	DHE-RSA-AES256-SHA	0x0039	SSLv3	DH	RSA	AES(256)
TLS1-DHE-RSA-AES-128-CBC-SHA	DHE-RSA-AES128-SHA	0x0033	SSLv3	DH	RSA	AES(128)
TLS1-DHE-DSS-AES-256-CBC-SHA	DHE-DSS-AES256-SHA	0x0038	SSLv3	DH	DSS	AES(256)
TLS1-DHE-DSS-AES-128-CBC-SHA	DHE-DSS-AES128-SHA	0x0032	SSLv3	DH	DSS	AES(128)
TLS1-ECDHE-RSA-DES-CBC3-SHA	ECDHE-RSA-DES-CBC3-SHA	0xC012	SSLv3	ECC-DHE	RSA	3DES(168)
SSL3-EDH-RSA-DES-CBC3-SHA	EDH-RSA-DES-CBC3-SHA	0x0016	SSLv3	DH	RSA	3DES(168)
SSL3-EDH-DSS-DES-CBC3-SHA	EDH-DSS-DES-CBC3-SHA	0x0013	SSLv3	DH	DSS	3DES(168)
TLS1-ECDHE-RSA-RC4-SHA	ECDHE-RSA-RC4-SHA	0xC011	SSLv3	ECC-DHE	RSA	RC4(128)
SSL3-DES-CBC3-SHA	DES-CBC3-SHA	0x000A	SSLv3	RSA	RSA	3DES(168)
SSL3-RC4-SHA	RC4-SHA	0x0005	SSLv3	RSA	RSA	RC4(128)
SSL3-RC4-MD5	RC4-MD5	0x0004	SSLv3	RSA	RSA	RC4(128)
SSL3-DES-CBC-SHA	DES-CBC-SHA	0x0009	SSLv3	RSA	RSA	DES(56)
SSL3-EXP-RC4-MD5	EXP-RC4-MD5	0x0003	SSLv3	RSA(512)	RSA	RC4(40)
SSL3-EXP-DES-CBC-SHA	EXP-DES-CBC-SHA	0x0008	SSLv3	RSA(512)	RSA	DES(40)
SSL3-EXP-RC2-CBC-MD5	EXP-RC2-CBC-MD5	0x0006	SSLv3	RSA(512)	RSA	RC2(40)
SSL2-DES-CBC-MD5	DHE-DSS-AES128-SHA256	0x0040	SSLv2	RSA	RSA	DES(56)
SSL3-EDH-DSS-DES-CBC-SHA	EDH-DSS-DES-CBC-SHA	0x0012	SSLv3	DH	DSS	DES(56)
SSL3-EXP-EDH-DSS-DES-CBC-SHA	EXP-EDH-DSS-DES-CBC-SHA	0x0011	SSLv3	DH(512)	DSS	DES(40)
SSL3-EDH-RSA-DES-CBC-SHA	EDH-RSA-DES-CBC-SHA	0x0015	SSLv3	DH	RSA	DES(56)
SSL3-EXP-EDH-RSA-DES-CBC-SHA	EXP-EDH-RSA-DES-CBC-SHA	0x0014	SSLv3	DH(512)	RSA	DES(40)
SSL3-ADH-RC4-MD5	ADH-RC4-MD5	0x0018	SSLv3	DH	None	RC4(128)
SSL3-ADH-DES-CBC3-SHA	ADH-DES-CBC3-SHA	0x001B	SSLv3	DH	None	3DES(168)
SSL3-ADH-DES-CBC-SHA	ADH-DES-CBC-SHA	0x001A	SSLv3	DH	None	DES(56)
TLS1-ADH-AES-128-CBC-SHA	ADH-AES128-SHA	0x0034	SSLv3	DH	None	AES(128)
TLS1-ADH-AES-256-CBC-SHA	ADH-AES256-SHA	0x003A	SSLv3	DH	None	AES(256)
SSL3-EXP-ADH-RC4-MD5	EXP-ADH-RC4-MD5	0x0017	SSLv3	DH(512)	None	RC4(40)
SSL3-EXP-ADH-DES-CBC-SHA	EXP-ADH-DES-CBC-SHA	0x0019	SSLv3	DH(512)	None	DES(40)
SSL3-NULL-MD5	NULL-MD5	0x0001	SSLv3	RSA	RSA	None
SSL3-NULL-SHA	NULL-SHA	0x0002	SSLv3	RSA	RSA	None

Predefined Cipher Groups

The following table lists the predefined cipher groups provided by the SDX appliance.

Cipher Group Name	Description
ALL	All ciphers supported by the SDX appliance, excluding NULL ciphers
DEFAULT	Default cipher list with encryption strength >= 128bit
kRSA	Ciphers with Key-ex algo as RSA
kEDH	Ciphers with Key-ex algo as Ephemeral-DH
DH	Ciphers with Key-ex algo as DH
EDH	Ciphers with Key-ex/Auth algo as DH
aRSA	Ciphers with Auth algo as RSA
aDSS	Ciphers with Auth algo as DSS
aNULL	Ciphers with Auth algo as NULL
DSS	Ciphers with Auth algo as DSS
DES	Ciphers with Enc algo as DES
3DES	Ciphers with Enc algo as 3DES
RC4	Ciphers with Enc algo as RC4
RC2	Ciphers with Enc algo as RC2
NULL	Ciphers with Enc algo as NULL
MD5	Ciphers with MAC algo as MD5
SHA1	Ciphers with MAC algo as SHA-1
SHA	Ciphers with MAC algo as SHA
NULL	Ciphers with Enc algo as NULL
RSA	Ciphers with Key-ex/Auth algo as RSA
ADH	Ciphers with Key-ex algo as DH and Auth algo as NULL
SSLv2	SSLv2 protocol ciphers
SSLv3	SSLv3 protocol ciphers
TLSv1	SSLv3/TLSv1 protocol ciphers
TLSv1_ONLY	TLSv1 protocol ciphers
EXP	Export ciphers
EXPORT	Export ciphers
EXPORT40	Export ciphers with 40bit encryption
EXPORT56	Export ciphers with 56bit encryption
LOW	Low strength ciphers (56bit encryption)
MEDIUM	Medium strength ciphers (128bit encryption)
HIGH	High strength ciphers (168bit encryption)
AES	AES Ciphers
FIPS	FIPS Approved Ciphers
ECDHE	Elliptic Curve Ephemeral DH Ciphers
AES-GCM	Ciphers with Enc algo as AES-GCM
SHA2	Ciphers with MAC algo as SHA-2

Viewing the Predefined Cipher Groups

To view the predefined cipher groups, on the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.

Creating Custom Cipher Groups

You can create custom cipher groups from the list of supported SSL ciphers.

To create custom cipher groups:

On the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
In the Cipher Groups pane, click Add.
In the Create Cipher Group dialog box, perform the following:
1. In the Group Name field, enter a name for the custom cipher group.
2. In the Cipher Group Description field, enter a brief description of the custom cipher group.
3. In the Cipher Suites section, click Add and select the ciphers to include in the list of supported SSL ciphers.
4. Click Create.

Viewing Existing SSL Cipher Bindings

To view the existing cipher bindings, on the Configuration tab, in the navigation pane, expand System, and then click Configure SSL Settings under System Settings.

Configure-ssl-settings

Note

After you upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.

Binding Ciphers to the HTTPS Service

To bind ciphers to the HTTPS service:

On the Configuration tab, in the navigation pane, click System.
In the System pane, under System Settings, click Configure SSL Settings.
In the Edit Settings pane, click Ciphers Suites.
In the Ciphers Suites pane, do either of the following:
- To choose cipher groups from predefined cipher groups provided by SDX appliance, select the Cipher Groups check box, select the cipher group from the Cipher Groups drop-down list, and then click OK.
- To choose from the list of supported ciphers, select the Cipher Suites check box, click Add to select the ciphers, and then click OK.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configuring SSL Ciphers to Securely Access the Management Service

October 6, 2023

Contributed by:

C S

October 6, 2023

Contributed by:

C S

Configuring SSL Ciphers to Securely Access the Management Service

Limitations

Supported SSL Ciphers

Predefined Cipher Groups

Viewing the Predefined Cipher Groups

Creating Custom Cipher Groups

Viewing Existing SSL Cipher Bindings

Binding Ciphers to the HTTPS Service

In this article