Scoring an A + on SSLlabs.com with Citrix NetScaler (continuation)

Scoring an A + on SSLlabs.com with Citrix NetScaler (continuation)

4:59 PM
Scoring an A + on SSLlabs.com with Citrix NetScaler (continuation) -
. Note - This item has been replaced by a new, improved version of
Please click here for the latest version of my SSLlabs.com products.

My last blog on scoring at A + with Qualys excellent SSL Labs site was very popular, but as with all security issues, we were shooting at a moving target, and it was not long before NetScaler began an "a" (certain) to be more appropriate than an "a +" (exceptional).

With this blog I'm back detail to go as an A + can be achieved, and thanks to the Update Firmware 5.10.57 we can achieve, it is on any platform - VPX, MPX and SDX! Good news indeed!

Appliance

Score

MPX / SDX with NS10.5-57.7

A +

VP X (not on a SDX) with NS10.5-57.7

a +

MPX / SDX without NS10.5-57.7

A

VP X (not on a SDX) without NS10.5-57.7

C

My new "cheat sheet" for an a +

  1. Disable SSLv3

SSLv3 is considered unsafe, and you are now just a "C" score with this enabled.

  1. TLSv1.2 must for your VPS

is available without TLSv1.2 a "B" the highest score be enabled. note that from 05/10/57 this on each NetScaler VPX works assigned including without hardware SSL chip.

  1. RC4 ciphers list must be deactivated with a custom cipher.

RC4 ciphers are generally considered unsafe and again your guests is limited to a "B" without disabling it.

  1. Make it your custom cipher list preference Elliptic Curve Diffie-Hellman exchange (ECDHE) by a moving "A-" to "A".

Note that when you create a new cipher group through the GUI in 10.5, the ciphers are added are rearranged in reverse priority order (they 'll when you create the group).

to A from A + Moving

NetScaler now supports TLS_FALLBACK_SCSV protocol to prevent downgrade attacks a prerequisite for an A + score.

  1. both Ask your server certificate and your intermediate certificates have a safe SHA2 / SHA256 signature.
  1. Strict Transport Security implementation of inserting a custom header tied a rewrite policy to use your VPS. See here for further details.

Protected

This is it. to increase a further 15 minutes of process safety and get an A +. but remember that ssllabs.com is just an opinion, and we do not necessarily recommend this for your environment, as always, the examination of the utmost importance.

How does my score compare with others?

These data indeed published here

to the Summary for 7th May Read, 2015, we can see that from 146 462 sites surveyed ssllabs .com 25.3% generated F and only 1.1% (1625) succeeded in an a +.? - Something that you can now do in minutes

Which ciphers I should but here's the cipher list submitted by Claus Jan Harms on my last article

This question will depend very much on the environment, and I would recommend it to discuss with your security team - I have excellent success with it.

  • ssl cipher claus cipher-list-with-GCM
  • bind ssl cipher claus cipher-list-with-GCM Add - cipherName TLS1.2-ECDHE RSA AES256-GCM SHA384
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1.2-ECDHE RSA AES128- GCM -SHA256
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1.2-ECDHE RSA AES 256-SHA384
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1.2-ECDHE RSA AES 128-SHA256
  • bind ssl cipher claus-cipher- list -with-GCM -cipherName TLS1-ECDHE RSA AES256-SHA
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1-ECDHE RSA SHA AES128-
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1.2-DHE-RSA-AES256-GCM SHA384
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1.2-DHE-RSA-AES128-GCM SHA256
  • bind ssl cipher claus cipher LISTEN with -GCM -cipherName TLS1-DHE-RSA-AES256-CBC-SHA
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1-DHE-RSA AES -128 CBC SHA
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1-AES-256-CBC-SHA
  • bind ssl cipher claus cipher-list-with-GCM -cipherName TLS1 AES 128 CBC SHA
  • bind ssl cipher claus cipher-list-with GCM -cipherName SSL3 oF-CBC3-SHA
Please note that SSL3 oF-CBC3-SHA, despite the name, useful when SSL3 disabled. This is the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher and needed for IE8 on Windows XP.

is not fully supported on a VPX some ciphers are in 10.5.57.7 and here is the cipher-list that I would recommend

  • ssl cipher VPX cipher -list
  • bind ssl cipher VPX cipher list -cipherName TLS1.2-ECDHE RSA AES -128 Add-SHA256
  • bind ssl cipher VPX cipher-list -cipherName TLS1-ECDHE RSA AES256-SHA
  • bind ssl cipher VPX cipher-list -cipherName TLS1-ECDHE RSA AES128-SHA
  • bind ssl cipher VPX cipher list -cipherName TLS1-DHE-RSA-AES 256- CBC-SHA
  • bind ssl cipher VPX cipher list -cipherName TLS1-DHE-RSA-AES-128 -CBC-SHA
  • bind ssl cipher VPX cipher list -cipherName TLS1-AES-256-CBC-SHA
  • bind ssl cipher VPX cipher list -cipherName TLS1-AES -128 CBC SHA
  • bind ssl cipher VPX cipher list -cipherName SSL3 DES CBC3-SHA
by the cipher group to your vServer bond it is important to also ensure eccCurves for ECDHE carriers are bound.
  • bind ssl vs [vserver_name] -eccCurveName ALL

If we Strict Transport Security implement, as we get to "the browser internal HSTS white lists" or preload lists?

Strict Transport Security works with a header adding the client not to say http use and only https to communicate. This prevents a man in the middle attacks, but only if the client has seen the header the SSL conversation strips -. On the first visit to a site of the attacker can remove the header with such an attack

The solution is to only submit your site for inclusion in hardcoded preload lists of sites to be known https. You can prior to Chrome Preload List here .

This is now the time more useful than ever passes because Microsoft recently announced HSTS support and inclusion in the Chrome preload list should in IE, Firefox and Safari.

Next
« Prev Post
Previous
Next Post »
0 Komentar

Subscribe to: Post Comments (Atom)