Configure SSL ciphers to securely access the Management Service
You can select SSL cipher suites from a list of SSL ciphers supported by NetScaler SDX appliances. Bind any combination of the SSL ciphers to access the SDX Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.
Limitations
- Binding ciphers with key exchange = “DH” or “ECC-DHE” is not supported.
- Binding the ciphers with Authentication = “DSS” is not supported.
- Binding ciphers that are not part of the supported SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.
Supported SSL Ciphers
The following table lists the supported SSL ciphers.
Citrix Cipher Name | OpenSSL CipherName | Hex Code | Protocol | Key Exchange Algorithm | Authentication Algorithm | Message Authentication Code (MAC) Algorithm |
---|---|---|---|---|---|---|
TLS1-AES-256-CBC-SHA | AES256-SHA | 0x0035 | SSLv3 | RSA | RSA | AES(256) |
TLS1-AES-128-CBC-SHA | AES128-SHA | 0x002F | SSLv3 | RSA | RSA | AES(128) |
TLS1.2-AES-256-SHA256 | AES256-SHA256 | 0x003D | TLSv1.2 | RSA | RSA | AES(256) |
TLS1.2-AES-128-SHA256 | AES128-SHA256 | 0x003C | TLSv1.2 | RSA | RSA | AES(128) |
TLS1.2-AES256-GCM-SHA384 | AES256-GCM-SHA384 | 0x009D | TLSv1.2 | RSA | RSA | AES-GCM(256) |
TLS1.2-AES128-GCM-SHA256 | AES128-GCM-SHA256 | 0x009C | TLSv1.2 | RSA | RSA | AES-GCM(128) |
TLS1-ECDHE-RSA-AES256-SHA | ECDHE-RSA-AES256-SHA | 0xC014 | SSLv3 | ECC-DHE | RSA | AES(256) |
TLS1-ECDHE-RSA-AES128-SHA | ECDHE-RSA-AES128-SHA | 0xC013 | SSLv3 | ECC-DHE | RSA | AES(128) |
TLS1.2-ECDHE-RSA-AES-256-SHA384 | ECDHE-RSA-AES256-SHA384 | 0xC028 | TLSv1.2 | ECC-DHE | RSA | AES(256) |
TLS1.2-ECDHE-RSA-AES-128-SHA256 | ECDHE-RSA-AES128-SHA256 | 0xC027 | TLSv1.2 | ECC-DHE | RSA | AES(128) |
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | 0xC030 | TLSv1.2 | ECC-DHE | RSA | AES-GCM(256) |
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | 0xC02F | TLSv1.2 | ECC-DHE | RSA | AES-GCM(128) |
TLS1.2-DHE-RSA-AES-256-SHA256 | DHE-RSA-AES256-SHA256 | 0x006B | TLSv1.2 | DH | RSA | AES(256) |
TLS1.2-DHE-RSA-AES-128-SHA256 | DHE-RSA-AES128-SHA256 | 0x0067 | TLSv1.2 | DH | RSA | AES(128) |
TLS1.2-DHE-RSA-AES256-GCM-SHA384 | DHE-RSA-AES256-GCM-SHA384 | 0x009F | TLSv1.2 | DH | RSA | AES-GCM(256) |
TLS1.2-DHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES128-GCM-SHA256 | 0x009E | TLSv1.2 | DH | RSA | AES-GCM(128) |
TLS1-DHE-RSA-AES-256-CBC-SHA | DHE-RSA-AES256-SHA | 0x0039 | SSLv3 | DH | RSA | AES(256) |
TLS1-DHE-RSA-AES-128-CBC-SHA | DHE-RSA-AES128-SHA | 0x0033 | SSLv3 | DH | RSA | AES(128) |
TLS1-DHE-DSS-AES-256-CBC-SHA | DHE-DSS-AES256-SHA | 0x0038 | SSLv3 | DH | DSS | AES(256) |
TLS1-DHE-DSS-AES-128-CBC-SHA | DHE-DSS-AES128-SHA | 0x0032 | SSLv3 | DH | DSS | AES(128) |
TLS1-ECDHE-RSA-DES-CBC3-SHA | ECDHE-RSA-DES-CBC3-SHA | 0xC012 | SSLv3 | ECC-DHE | RSA | 3DES(168) |
SSL3-EDH-RSA-DES-CBC3-SHA | EDH-RSA-DES-CBC3-SHA | 0x0016 | SSLv3 | DH | RSA | 3DES(168) |
SSL3-EDH-DSS-DES-CBC3-SHA | EDH-DSS-DES-CBC3-SHA | 0x0013 | SSLv3 | DH | DSS | 3DES(168) |
TLS1-ECDHE-RSA-RC4-SHA | ECDHE-RSA-RC4-SHA | 0xC011 | SSLv3 | ECC-DHE | RSA | RC4(128) |
SSL3-DES-CBC3-SHA | DES-CBC3-SHA | 0x000A | SSLv3 | RSA | RSA | 3DES(168) |
SSL3-RC4-SHA | RC4-SHA | 0x0005 | SSLv3 | RSA | RSA | RC4(128) |
SSL3-RC4-MD5 | RC4-MD5 | 0x0004 | SSLv3 | RSA | RSA | RC4(128) |
SSL3-DES-CBC-SHA | DES-CBC-SHA | 0x0009 | SSLv3 | RSA | RSA | DES(56) |
SSL3-EXP-RC4-MD5 | EXP-RC4-MD5 | 0x0003 | SSLv3 | RSA(512) | RSA | RC4(40) |
SSL3-EXP-DES-CBC-SHA | EXP-DES-CBC-SHA | 0x0008 | SSLv3 | RSA(512) | RSA | DES(40) |
SSL3-EXP-RC2-CBC-MD5 | EXP-RC2-CBC-MD5 | 0x0006 | SSLv3 | RSA(512) | RSA | RC2(40) |
SSL2-DES-CBC-MD5 | DHE-DSS-AES128-SHA256 | 0x0040 | SSLv2 | RSA | RSA | DES(56) |
SSL3-EDH-DSS-DES-CBC-SHA | EDH-DSS-DES-CBC-SHA | 0x0012 | SSLv3 | DH | DSS | DES(56) |
SSL3-EXP-EDH-DSS-DES-CBC-SHA | EXP-EDH-DSS-DES-CBC-SHA | 0x0011 | SSLv3 | DH(512) | DSS | DES(40) |
SSL3-EDH-RSA-DES-CBC-SHA | EDH-RSA-DES-CBC-SHA | 0x0015 | SSLv3 | DH | RSA | DES(56) |
SSL3-EXP-EDH-RSA-DES-CBC-SHA | EXP-EDH-RSA-DES-CBC-SHA | 0x0014 | SSLv3 | DH(512) | RSA | DES(40) |
SSL3-ADH-RC4-MD5 | ADH-RC4-MD5 | 0x0018 | SSLv3 | DH | None | RC4(128) |
SSL3-ADH-DES-CBC3-SHA | ADH-DES-CBC3-SHA | 0x001B | SSLv3 | DH | None | 3DES(168) |
SSL3-ADH-DES-CBC-SHA | ADH-DES-CBC-SHA | 0x001A | SSLv3 | DH | None | DES(56) |
TLS1-ADH-AES-128-CBC-SHA | ADH-AES128-SHA | 0x0034 | SSLv3 | DH | None | AES(128) |
TLS1-ADH-AES-256-CBC-SHA | ADH-AES256-SHA | 0x003A | SSLv3 | DH | None | AES(256) |
SSL3-EXP-ADH-RC4-MD5 | EXP-ADH-RC4-MD5 | 0x0017 | SSLv3 | DH(512) | None | RC4(40) |
SSL3-EXP-ADH-DES-CBC-SHA | EXP-ADH-DES-CBC-SHA | 0x0019 | SSLv3 | DH(512) | None | DES(40) |
SSL3-NULL-MD5 | NULL-MD5 | 0x0001 | SSLv3 | RSA | RSA | None |
SSL3-NULL-SHA | NULL-SHA | 0x0002 | SSLv3 | RSA | RSA | None |
Predefined cipher groups
The following table lists the predefined cipher groups provided by the SDX appliance.
Cipher Group Name | Description |
---|---|
ALL | All ciphers supported by the SDX appliance, excluding NULL ciphers |
DEFAULT | Default cipher list with encryption strength >= 128bit |
kRSA | Ciphers with Key-ex algo as RSA |
kEDH | Ciphers with Key-ex algo as Ephemeral-DH |
DH | Ciphers with Key-ex algo as DH |
EDH | Ciphers with Key-ex/Auth algo as DH |
aRSA | Ciphers with Auth algo as RSA |
aDSS | Ciphers with Auth algo as DSS |
aNULL | Ciphers with Auth algo as NULL |
DSS | Ciphers with Auth algo as DSS |
DES | Ciphers with Enc algo as DES |
3DES | Ciphers with Enc algo as 3DES |
RC4 | Ciphers with Enc algo as RC4 |
RC2 | Ciphers with Enc algo as RC2 |
NULL | Ciphers with Enc algo as NULL |
MD5 | Ciphers with MAC algo as MD5 |
SHA1 | Ciphers with MAC algo as SHA-1 |
SHA | Ciphers with MAC algo as SHA |
NULL | Ciphers with Enc algo as NULL |
RSA | Ciphers with Key-ex/Auth algo as RSA |
ADH | Ciphers with Key-ex algo as DH and Auth algo as NULL |
SSLv2 | SSLv2 protocol ciphers |
SSLv3 | SSLv3 protocol ciphers |
TLSv1 | SSLv3/TLSv1 protocol ciphers |
TLSv1_ONLY | TLSv1 protocol ciphers |
EXP | Export ciphers |
EXPORT | Export ciphers |
EXPORT40 | Export ciphers with 40bit encryption |
EXPORT56 | Export ciphers with 56bit encryption |
LOW | Low strength ciphers (56bit encryption) |
MEDIUM | Medium strength ciphers (128bit encryption) |
HIGH | High strength ciphers (168bit encryption) |
AES | AES Ciphers |
FIPS | FIPS Approved Ciphers |
ECDHE | Elliptic Curve Ephemeral DH Ciphers |
AES-GCM | Ciphers with Enc algo as AES-GCM |
SHA2 | Ciphers with MAC algo as SHA-2 |
View the predefined cipher groups
To view the predefined cipher groups, on the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
Create custom cipher groups
You can create custom cipher groups from the list of supported SSL ciphers.
To create custom cipher groups:
- On the Configuration tab, in the navigation pane, expand Management Service, and then click Cipher Groups.
- In the Cipher Groups pane, click Add.
- In the Create Cipher Group dialog box, perform the following:
- In the Group Name field, enter a name for the custom cipher group.
- In the Cipher Group Description field, enter a brief description of the custom cipher group.
- In the Cipher Suites section, click Add and select the ciphers to include in the list of supported SSL ciphers.
- Click Create.
View existing SSL cipher bindings
To view the existing cipher bindings, on the Configuration tab, in the navigation pane, expand System, and then click Configure SSL Settings under System Settings.
Note:
After upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.
Bind ciphers to the HTTPS service
- On the Configuration tab, in the navigation pane, click System.
- In the System pane, under System Settings, click Configure SSL Settings.
- In the Edit Settings pane, click Ciphers Suites.
- In the Ciphers Suites pane, do either of the following:
- To choose a cipher group from the predefined cipher groups, select Cipher Groups, select a cipher group from the Cipher Groups list, and then click OK.
- To choose from the list of supported ciphers, select the Cipher Suites check box, click Add to select the ciphers, and then click OK.