Netscaler VPX A(+) rating on SSL Labs
June 29, 2015
Due to the recent (and ongoing?) discoveries of vulnerabilities in SSL and others, it has become more important than ever to get a good rating on the SSL Labs Server Test.
I’m not the first to write a blogpost on the subject either. There was even one on the official Citrix Blog pages:
And I would not dare to forget the post of new CTP Anton van Pelt:
So, why bother to make my own blogpost anyway?
First of all, I’m focusing on the VPX platform only in the first place. The VPX does need its own set of ciphers since not all ciphers are supported.
Before I move on, a quick heads up: if your certificate is not yet SHA2, you are limited to an “A”-rating. Once you renew your SSL certificate, you will be on SHA2 and be able to score the “A+” rating. I’m emphasizing this because I was still using an SHA1 certificate on my VPX. The SHA2 renewal is in the works. Therefore, my screenshots will show “A” and not “A+”.
So I focus on VPX only, but even then, why bother? Well, if you read the comments on both posts you’ll see some confusion to say the least. Confusion on the setup for VPX, confusion why some results don’t work, … but that’s not all. What am I talking about? Well, there’s scoring an A/A+ on the SSL Labs test and scoring an A/A+ on the test with a setup that works on all your endpoints.
Let’s be brutally honest here, and I mean no disrespect to the other writers here, it’s not that difficult at all to get the A-rating. If one was to disable 99% of the ciphers and keeping only the super-secure one(s), one will score A/A+. But your users/customers wouldn’t be happy at all. Why? Because the vast majority of them won’t be able to connect anymore.
So, as I was building the config for an environment with a mix of XenApp 7.6, 6.5 and even 4.5 servers, I’m pretty confident that my setup will work in your environment too.
Here we go.
Upgrade to 10.5 build 57.7
Create a Diffie-Hellman key (for perfect Forward Secrecy)
Disable SSL3. Enable TLS 1.2. Protocols on the Access Gateway vServer should look like this:
You can find this on the SSL parameters section of your Access Gateway vServer.
On the same screen, enable DH Param accordingly, by selecting they .key file generated in step 2.
This is the tricky one. The goal is to get all ciphers you need, and applied in the correct order. I chose to change the default cipher group rather than creating a new one. This is my cipher-list:
Yes, I know SSL3 is disabled, but you still need the cipher present.
Oh and you if you get this error:
You can ignore this (see: http://support.citrix.com/article/CTX135519).
Create a rewrite policy or make sure by other means that your vserver can only be accessed on HTTPS, not HTTP.
And the end result:
That’s it. I’ve tested this setup with Citrix Receiver on iOS, Receiver on Android, Receiver for ChromeOS and, of course, “plain” Receiver for Windows.