Donnerstag, 6. Februar 2014

SSL and PFS on Linux and Citrix NetScaler

The last few days I was doing some SSL optimization regarding Linux servers and NetScaler appliances. If you want to do this by yourself, the first paper you should read is "Applied Crypto Hardening" from bettercrypto.org.

After implementing these best practices you can test your setup (if your server is reachable by public and running on default port 443) with Qualys' ssltest.

On Citrix NetScaler you can mitigate risk by denying insecure SSL renegotiation:
set ssl parameter -denySSLReneg NONSECURE
You can now check the status.
show ssl parameter
...
        Deny SSL Renegotiation          NONSECURE
...
Don't forget to save the running configuration.
save ns config

I've decided to disable RC4 ciphers by disabling the DEFAULT cipher group and enabling the cipher group HIGH per vServer.

A side node: if you do not have a N3 chip in your NetScaler MPX you won't be able to use ECDHE. I guess this results in having no Perfect Forward Secrecy at all.

Some other useful links you might be interested in:

Credit goes to kro.hn, for supplying additional useful information.

Update: Does your mail server support STARTTLS?

Update 2: How's your Browsers SSL?