This article describes the configuration and use of -denySSLReneg parameter that is recently added to Citrix ADC appliance firmware and Citrix Gateway application software.

Instructions

Run the following command from the ADC command line interface to use -denySSLReneg parameter:
set ssl parameter -denySSLReneg <option>

The <option> parameter in the preceding command can take any one of the following values:
Note: Default value is set to "ALL".

• NO: Full SSL renegotiation is allowed.
• FRONTEND_CLIENT: Deny secure and non-secure SSL renegotiation initiated by the client.
• FRONTEND_CLIENTSERVER: Deny secure and non-secure SSL renegotiation initiated by the client and by the ADC appliance during policy-based clientAuth.
• ALL: Deny secure and non-secure SSL renegotiation for the preceding two cases and for server initiated renegotiation.
• NONSECURE: Deny non-secure SSL renegotiation to address the vulnerability described in RFC 5746.
• Note: The NONSECURE option is supported only on NetScaler software release 9.3.e, 10.x and later.

To configure SSL parameters from ADC GUI, complete the following steps:

1. Navigate to Traffic Management > SSL > Settings and click Change advanced SSL settings and from Deny SSL Renegotiation drop-down select the appropriate setting.

Points to Note

• Currently, the MPX-FIPS platform supports only the following options:

• NO
• FRONTEND_CLIENT
• FRONTEND_CLIENTSERVER
• ALL

Run the following command from the command line interface to avail help:
> help set ssl parameter

Usage: set ssl parameter [-quantumSize <quantumSize>]
[-crlMemorySizeMB <positive_integer>] [-strictCAChecks ( YES | NO )]
[-sslTriggerTimeout <positive_integer>] [-sendCloseNotify ( YES | NO )]
[-denySSLReneg <denySSLReneg>]
where:
<quantumSize> = ( 4096 | 8192 | 16384 )
<denySSLReneg> = ( NO | FRONTEND_CLIENT | FRONTEND_CLIENTSERVER | ALL )

• RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension for more information.