SSL Test with A+ Result in NetScaler VPX

You will get C with the default policy configured in NetScaler VPX, and please refer to the steps below on how to make it A+

  1. Disabled TLS 1.0
  2. Disabled SSLv3
  3. Allow Secure Renegotiation
  4. Custom cipher list that provides Forward Secrecy (FS)

Referring to my previous post NetScaler VPX as Reserve Proxy for Exchange 2016 , the vServer that I’m going to use is cs_ex16

Disabled TLS 1.0 & SSLv3

set ssl vserver cs_ex16 -ssl3 DISABLED -tls1 DISABLED -tls11 ENABLED -tls12 ENABLED

Allow Secure Renegotiation

set ssl parameter -denySSLReneg NONSECURE

Create a New Cipher Group – secure_cipher

add ssl cipher secure_cipher
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher secure_cipher -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
bind ssl cipher secure_cipher -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher secure_cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher secure_cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher secure_cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher secure_cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher secure_cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher secure_cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher secure_cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher secure_cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher secure_cipher -cipherName TLS1-AES-256-CBC-SHA

Unbind the Default & Bind with secure_cipher group created

unbind ssl vserver cs_ex16 -cipherName DEFAULT
Warning: No usable ciphers configured on the SSL vserver/service
 Done

bind ssl vserver cs_ex16 -cipherName secure_cipher
bind ssl vserver cs_ex16 -eccCurveName ALL

Strict Transport Security by setting the “-HSTS ENABLED” flag
To tell client’s browser to always use HTTPS connection

set ssl vserver cs_ex16 -HSTS ENABLED -maxage 157680000

Create and bind DH Key

create ssl dhparam dhkey 2048 -gen 2
set ssl vserver cs_ex16 -dh ENABLED -dhFile dhkey

Run SSL test via ssllabs again, and you should be able to get the A+ Result now

Reference Links
1. https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top