Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX205288 {{tooltipText}}

How Do I Block SSLv2 on NetScaler?

Article | How To / General Question Configuration Security Vulnerability | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • Citrix ADC

Objective

This article describes how to block SSLv2 on NetScaler.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Use Case

SSL v2 protocol has many security vulnerabilities which makes it essential for a user to disable it and opt for stronger and more secure protocols such as TLS v1.1 / v1.2.

Introduction to SSL v2

SSL v2 (SSL 2.0) is a protocol created by Netscape in 1994. It was identified with many security vulnerabilities many of which were later resolved in SSL v3, which as well is impacted by security vulnerabilities.

Here is a list of some of the flaws in SSL v2:

  1. SSL v2 has a weak MAC (message authentication code) construction which uses 40 bit of encryption in export mode. It uses the MD5 hash function which makes it vulnerable to length extension attacks wherein an attacker can delete bytes from the end of messages.
  2. It is vulnerable to cipher suite attack as the handshake messages are not protected. In this attack, the attacker edits the list of cipher suite preferences to a lower cipher suite without any detection (in the hello messages). This forces the client and server to agree upon a weaker form of encryption than they otherwise would have chosen.
  3. Message authentication and message encryption use the same key. This can lead to a problem if the client and server negotiate a weak encryption
  4. Session terminated can be forged.  A man-in-the-middle attacker can easily insert a TCP FIN to terminate the session. The receiving endpoint is unable to determine whether it is a legitimate end of session request or not thus resulting in an unwanted termination.
  5. SSL v2 does not follow chain certificate and does not support non-RSA algorithm. It only supports RSA key exchange which may not be the preferred option in many cases
  6. SSL v2 only supports one domain certificate with a single service. This is not a preferable option as it would not support virtual hosting for web servers.

Instructions

Configuration Steps for disabling SSL v2:

On NetScaler CLI
To disable SSL v2 on a particular virtual server, execute the following command:
set ssl vserver <vservername> -ssl2 disabled

User-added image

On NetScaler GUI
Go to Traffic Management > Load Balancing > Virtual Severs > Select the virtual server > Edit > SSL Parameters > Disable SSL v2 in the list of SSL protocols
Note: In latest releases of NetScaler, SSL v2 is disabled by default. Ensure that you keep it in disabled.

User-added image

Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page