CTX205480
Article | How To / General Question Configuration | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
Objective
This article describes how to remove legacy ciphers(SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler.
Use case
- Ramesh wishes to interact in a secure fashion (some arbitrary, some known) free from any security attack through a web browser. Recent attacks on weaker ciphers in SSL layer has rendered them useless and thus Ramesh wants to ensure that he is not using the weak ciphers.
- Banking.com wishes to host webservers to be used by people like Ramesh in a secure fashion free from any security threat.
Background
Secure transfer of data between the client and server is facilitated by Transport Layer Security(TLS) and its predecessor Secure Socket Layer(SSL). They are not just used by websites that use HTTP protocol, but also is utilized by wide variety of services. Some of the services include e-mail, Chat applications, FTP applications and Virtual Private Networks (VPN).
Choice of ciphers used has become critical as they ensure safety of data exchanged between client and server. Making a mistake in choosing ciphers would bring in a false sense of security. Intruders can successfully decrypt or gain access to sensitive information when choice of ciphers used for secure communication includes outdated ciphers which are prone to different kind of attacks.
Key points to be considered while securing SSL layer,
- SSL 2.0 and SSL 3.0 should be disabled
- Weak ciphers like DES, 3DES, RC4 or MD5 should not be used
Instructions
This article is divided into the following sections:
- Remove Legacy Ciphers that Use SSL3, DES, 3DES, MD5 and RC4
- Remove Legacy Ciphers SSL3, DES, 3DES, MD5 and RC4 from cipher group
- Remove Legacy Ciphers SSL3, DES, 3DES, MD5 and RC4 from SSL Profile
- Disable SSL2.0 and SSL3.0 on NetScaler
- Disable SSL 3.0/2.0 on a vserver
- Disable SSL 3.0/2.0 on SNIP
- Disable SSL 3.0/2.0 on NetScaler Management Interface
Remove Legacy Ciphers that Use SSL3, DES, 3DES, MD5 and RC4
Legacy ciphers that use SSL3, DES, 3DES, MD5 and RC4 can be removed from NetScaler by two ways. They can either be removed from cipher group or they can be removed from SSL profile.
Back to Top
Remove Legacy CiphersSSL3, DES, 3DES, MD5 and RC4 from cipher group
Complete the following steps to remove SSL3, DES, 3DES, MD5 and RC4:
-
Configuration tab > Traffic Management > SSL > Cipher Groups.
-
Select DEFAULT cipher groups > click Add.
Edit the Cipher Group Name to anything else but “Default”
Check the below list for SSL3, DES, 3DES, MD5 and RC4 ciphers and remove them from the group.
- Click create. You will have a list of ciphers from default cipher group without legacy ciphers.
Back to Top
Remove Legacy CiphersSSL3, DES, 3DES, MD5 and RC4 from SSL Profile
-
Configuration tab > System > Profiles > SSL Profle Tab > <profile name to be modified> > Edit.
-
Select SSL Ciphers > Add > Select Cipher > uncheck SSL3, DES, MD5, RC4 Ciphers > Move the selected ones under configured.
-
After moving list of Ciphers to Configured, select OK and save the configuration.
After the above mentioned steps, SSL profile will not have any legacy ciphers.
Back to Top
Disable SSL2.0 and SSL3.0 on NetScaler
You will have to disable to SSL2.0 and SSL3.0 on NetScaler virtual server, SNIP and NetScaler management interface to completely disable SSL2.0 and SSL3.0 on NetScaler.
Back to Top
Disable SSL 3.0/2.0 on a vserver
The below mentioned command will disable SSL 3.0/SSL2.0 on a vserver
> set ssl vserver vpn -ssl3 DISABLED
> set ssl vserver vpn –ssl2 DISABLED
Back to Top
Disable SSL 3.0/2.0 on SNIP
To disable SSL 3.0/2.0 for a SNIP, internal services on the IP should be identified using following command
>show service –internal | grep <IP>
Internal services resides inside NetScaler and takes action on behalf of NetScaler. For example an internal service, nshttps-<SNIP IP Address>-443 services SSL connections for the SNIP on NetScaler.
Using the internal service name on the IP, SSL 3.0/2.0 can be disabled using the following command:
set ssl service <internal service name for that ip> -ssl3 disabled
set ssl service <internal service name for that ip> -ssl2 disabled
Back to Top
Disable SSL 3.0/2.0 on NetScaler Management Interface
“nshttps-127.0.0.1-443” is the service running on NetScaler Management Interface.
>show service –internal | grep nshttps-127.0.0.1-443
Using the the following commands, SSL2.0 SSL3.0 can be disabled on older versions of ADC. Replace NSIP in the last command with the NSIP of the device. However if you receive "Warning: Operation not permitted. Use set ssl profile for setting these parameters" then follow the alternate commands:
>set ssl service nshttps-127.0.0.1-443 –ssl2 DISABLED
>set ssl service nshttps-127.0.0.1-443 –ssl3 DISABLED
>set ssl service nshttps-NSIP-443 –ssl3 DISABLED
Alternate commands:
>add ssl profile no_SSL3_TLS1 -ssl3 DISABLED-tls1 DISABLED
>set ssl service nshttps-127.0.0.1-443 -sslprofile no_SSL3_TLS1
>set ssl service nshttps-NSIP-443 -sslProfileno_SSL3_TLS1
Back to Top