Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX205481 {{tooltipText}}

How Do I Setup TLS_FALLBACK_SCSV On NetScaler?

Article | Configuration Security Vulnerability | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • Citrix ADC

Objective

Use Case

Protect server against POODLE attack by preventing the protocol downgrade attack.

Introduction to TLS_FALLBACK_SCSV

POODLE attack is a man-in-the-middle attack in which an attacker takes advantage of the fall back behaviour of clients (including browsers) to attack servers which support SSL 3.0 and CBC encryption mode.
User-added image

Most SSL/TLS implementations are backward compatible with SSL 3.0 to interoperate with legacy systems. A POODLE attacker leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. He can trigger a connection failure and then force the use of SSL 3.0 and attempt an attack.
User-added image

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above, so disabling SSL 3.0 might not be possible. The solution to this problem is that the browsers and servers should implement TLS_FALLBACK_SCSV which makes downgrade attacks impossible. This is how it works – browsers support a downgrade mechanism in the form of Signaling Cipher Suite Value (SCSV). After a session fails during the initial handshake, the browser will retry, but attempts on version one lower than before. For example, after failing to connect to a server with the max version set to TLS 1.1, the client would retry with the max version set to TLS 1.0.  This mechanism basically ensures connectivity but lowers down the security and makes the session vulnerable.

The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a “man in the middle attack” The server drops such handshakes.

Qualys SSL Labs, which test servers and browsers for SSL vulnerabilities, mandates a server to support TLS_FALLBACK_SCSV to get A+ rating.

Instructions

NetScaler supports TLS_FALLBACK_SCSV as an inbuilt feature from 10.5 release 57.7 build. All builds later to this (including 11.0) support this extension by default. This is applicable to all NetScaler appliances – MPX, SDX, VPX and MPX-FIPS.

Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page