Note – This article has been superseded by a new improved version.

If, like me, you use Qualys’s excellent SSL Labs website to test your certificate and secure site configuration.  Then, you’ve likely also asked yourself “how do I get the best score?”  Good news!  I’ve spent time finding out.

Before I begin let me tell you that everyone with a NetScaler can score a B grade or higher and those of you with an MPX or SDX running NS10.5-53.9 or above can get an A

Appliance

Score

MPX/SDX with NS10.5-53.9

A

MPX/SDX without NS10.5-53.9

A-

VPX (not on an SDX)

B

Let’s start with the “cheat sheet” for an A

  1. Disable SSLv3

As SSLv3 is considered insecure, you’ll get a score of “B” with this enabled.

  1. TLSv1.2 must be enabled for your vServer.

Without TLSv1.2 the highest score available is a “B”; note that TLSv1.2 isn’t possible on a VPX without hardware SSL chip assigned.

  1. RC4 ciphers must be disabled using a custom cipher list.

RC4 ciphers are generally considered insecure and again your score is limited to a “B” without disabling them.

  1. To move from an “A-“ to an “A” your custom cipher list requires both Elliptic curve Diffie–Hellman (ECDH) ciphers and reordering so these are preferred.

Note that when you create a new cipher group via the GUI in 10.5 that ciphers are added in reverse priority order (they’ll be reordered when you create the group).

Following the cheat sheet above you’ll get an “A”.

Moving from an A to an A+

Moving from an A (secure) to an A+ (exceptional) was quite easy, however since the end of year 2014 update it now isn’t possible as we don’t currently support TLS_FALLBACK_SCSV. I don’t know if or when we’ll support this but currently I’d imagine it of limited benefit as (at time of writing) Internet Explorer also don’t support it. Let’s further harden our deployment anyway.

  1. Ensure your intermediate certificates have a SHA2/SHA256 signature.

This may be easier than you imagine. I tend to use certificates from StartSSL.com (principally because they’re free) and was pleased to find that all of my sites had cross-signed certificates meaning that I only needed to replace one intermediate StartSSL certificate on my NetScaler rather than the certificate for every site.

  1. You need to implement Strict Transport Security by inserting a custom header using a rewrite policy bound to your vServer. See here for details.

Protected

That’s it. Through this fifteen-minute process you can enhance security and get an A.  Do remember however that ssllabs.com is just an opinion and we’re not necessarily recommending this for your environment, as always testing is paramount.

Now the cheat sheet is done, lets talk about some questions I had while writing it:

How does my score compare to others?

This data is actually published here

Reading the summary for December 05, 2014 we can see that of 149,712 sites surveyed by ssllabs.com 31.8% scored an F and only 8.5% (12,764) scored an A or A+

Why is NS10.5-53.9 important?

Well, if you’ve got a Cavium Nitrox III hardware SSL card or run a VPX, it’s not.

I’ve listed the 10.5-53.9 MR release for simplicity however the Nitrox III and VPX actually got ECDHE (Elliptic Curve Diffie–Hellman Exchange) support in the 10.5 GA release back in June’14.  For those of us with a Nitrox II card however the 10.5.53.9 MR release in Nov’14 brought ECDHE.

Additionally, this release also brought GCM and SHA2 cipher support for Nitrox II and III hardware SSL cards.

How do I know if my NetScaler has a Nitrox III card?

You can either run “show hardware” from the NetScaler prompt, or “cat /var/nslog/dmesg.boot |grep platform” on the shell.

Take note of the platform lines shown in the output to the above command in my examples below. If you see “CVM N3” in the output you have a Nitrox III card.

Platform: NSMPX-17500 12*CPU+2*E1K+8*IX+16*CVM 1620 450030

Platform: NSMPX-11500 12*CPU+8*IX+4*E1K+2*E1K+2*CVM N3 1400210

What are elliptic curve cryptography ciphers and why are they needed?

ECC ciphers are faster and require shorter key lengths for stronger keys than the more common RSA ciphers. They lend themselves well to Perfect Forward Secrecy (PFS), where the client and server must agree a new shared and temporary key for each session.

Without PFS all communication recorded between client and server can be decrypted if the server key ever becomes known, perhaps your key is completely secure now – but if someone records the traffic and then cracks or steals the key at a future date then that could be a problem; PFS solves this.

PFS solves this by having the client and server agree a temporary key for each session using Diffie-Hellman key exchange and then use this key rather than the server key for encryption of data traffic. Even if the server key later becomes compromised it won’t affect the security of the past conversation. This shared temporary key does however need to be created and agreed upon, and this process can result in some computationally intensive math  – which is where Elliptic Curve comes in.

Elliptic Curve cryptography is very strong even at small key sizes, a 256-bit ECC key for example is equal to a 3072-bit RSA key. By using ECDHE (Elliptic Curve Diffie-Hellman Exchange) we gain the benefit of PFS by negotiating a new temporary key for each session while also keeping a low CPU and network overhead.

What ciphers should I use?

This question will depend very much on your environment and I’d recommend discussing it with your security team however here is the list I used for testing along with my score (pre end of year update).

If we implement Strict Transport Security, how do we get onto “the browser-internal HSTS whitelists” or preload lists?

Strict Transport Security works by adding a header telling the client not to use http and to communicate over https only. This prevents man in the middle attacks that strip the SSL conversation but only once the client has seen the header – on the first visit to a site the attacker could remove the header with such an attack.

The solution is to submit your site for inclusion in hardcoded preload lists of sites known to be https only. You can submit to Chrome’s preload list here.

Firefox and Safari also have HSTS preload lists which include the Chrome list.