The NetScaler appliance uses SSLv2 even though SSLv2 is disable in SSL parameter.

When a NetScaler appliance attempts an SSL handshake with a back end server, it uses SSLv2 for the Client Hello message. This is observed even after disabling SSLv2 on the SSL virtual server (only SSLv3 and TLSv1 is enabled). Some application servers do not support SSLv2 however the NetScaler appliance uses SSLv2.

To resolve this issue upgrade to NetScaler 10.1 build 124.13nc.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Problem Cause

This behavior of the NetScaler appliance is allowed in compliance with RFC 2246 and 4346.

Consider the following screen shot of packet trace:

The packet trace in the preceding screen shot indicates that in the SSL v2 Record layer of the Client Hello frame 101, the selected Version header defines the protocol that the client wants to communicate.

Refer to the following excerpt from the RFC 4346:

client_version
The version of the TLS protocol by which the client wishes to communicate during this session. This SHOULD be the latest (highest valued) version supported by the client. For this version of the specification, the version will be 3.2. (See Appendix E for details about backward compatibility.)

With reference to the packet trace shown in the following screen shot, the Version header in the frame 103 indicates that the server has accepted the client request to communicate in TLS 1.0 and has responded accordingly:

Refer to the following links for more information: