The moving target has moved again. With my last SSLlabs blog post now a year-old and producing an “A-“ — it seemed time for an update.

Welcome to my third blog post on getting an “A+” score.

As always, I’ll detail how the “A+” can be achieved and thanks to firmware you’ll be pleased to learn that all MPX ciphers now also work on the VPX!

My new “cheat sheet” for an A+

1. Disable SSLv3

  • SSLv3 is considered insecure, and you’ll only score a “C” with this enabled.

2. Ensure TLSv1.2 is enabled

  • TLSv1.2 is enabled by default with newer firmware, but without, the highest score available is a “C”.

3. Ensure RC4 ciphers are disabled.

  • Like TLSv1.2 this is done for you on newer firmware, the DEFAULT cipher group no longer includes any RC4 ciphers. Please do check this if you have older firmware or use custom cipher groups.
  • RC4 ciphers will also reduce the highest score to a “C”.

4. Set your custom cipher group to preference Elliptic Curve Diffie–Hellman Exchange (ECDHE).

  • ECDHE provides Perfect Forward Secrecy.
  • While the DEFAULT cipher group does include ECDHE ciphers they’re set to a lower preference than some of the other more generic ones, for this reason, they’re unlikely to be used.
  • Without a change to the preference order (to prefer ECDHE ciphers) the highest score is an “A-”; changing the preference order requires a custom cipher group as you can’t modify the DEFAULT group.

5. Allow secure renegotiation

  • The default is now to deny “ALL” renegotiation, including secure. Preventing all renegotiation will result in an “A-“
  • You can allow secure renegotiation initiated by both NetScaler and client by choosing to block only “NONSECURE”, or only allow NetScaler initiated secure renegotiation by selecting the “FRONTEND_CLIENT” option.
  • Allowing insecure renegotiation, which you absolutely shouldn’t do, will result in an “F.”

Moving from an A to an A+

1. Ensure both your server certificate and your intermediate certificates have an SHA2/SHA256 signature.

2. Implement Strict Transport Security by inserting a custom header using a rewrite policy bound to your vServer. See here for details.

Note: support for the TLS_FALLBACK_SCSV to prevent protocol downgrade attacks (also an A+ prerequisite) has been built-in since 10.5.57

Copy and paste commands

1. Create a custom cipher group preferencing ECHDE ciphers.

add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName SSL3-DES-CBC3-SHA

2. Unbind the DEFAULT cipher group from your vServer, and bind the custom group.
unbind ssl vserver Name_of_NetScaler_vServer -cipherName DEFAULT
bind ssl vserver Name_of_NetScaler_vServer -cipherName custom-ssllabs-cipher
bind ssl vserver Name_of_NetScaler_vServer -eccCurveName ALL

3. Allow secure renegotiation initiated by the NetScaler.
set ssl parameter -denySSLReneg FRONTEND_CLIENT

4. Create a rewrite action and policy to insert the STS header.
add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy enforce_STS true insert_STS_header

5. Bind the rewrite policy

Note this example assumes NetScaler Gateway; this line could be “bind lb vserver” or similar.

bind vpn vserver Name_of_NetScaler_vServer -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE


That’s it; you will now score an “A+”.

Do remember however that is just an opinion, and we’re not necessarily recommending this for your environment, as always testing is paramount.

How does my score compare to others?

SSLLabs have published this data here.

Reading the summary for May 05, 2016 we can see that of 140,865 sites surveyed by 14.5% scored an “F”, and 6.5% (9,096) managed an “A+” — a significant improvement on last year.

Frequently asked questions

1. Should we bind a DH key?

  • Both ECDHE and DH ciphers provide PFS however DH requires considerably more computation on client and NetScaler.
  • The DHE ciphers in the custom cipher group above will remain disabled if you don’t bind a DH key. ECDHE doesn’t require one.
  • The choice of enabling EH ciphers by binding a DH key is a trade off of security vs. computation power.

2. Is there any performance impact to enabling ECDHE?

  • ECDHE performance is roughly 1/8th that of the RSA.

Citrix Mobilize Windows Banner 1_728x90-061715