NetScaler SSL Monitor Fails When TLS 1.2 Protocol and DES_CBC

NetScaler SSL Monitor Fails When TLS 1.2 Protocol and DES_CBC_SHA Cipher is Used

book

Article ID: CTX202826

calendar_today

Updated On:

Description

SSL handshake fails during monitor probe. Disabling DES_CBC_SHA cipher on the back end server resolves the issue.

Resolution

To resolve this issue upgrade to NetScaler 11.0 GA or 10.5 60.x build.

Note: There is a bug in the current NetScaler build which offers cipher “DES_CBC_SHA” in client Hello. With TLS 1.2 enabled, NetScaler should not offer “DES_CBC_SHA” in client hello.

Problem Cause

As per RFC 5246, TLS 1.2 protocol must not negotiate DES-CBC-SHA cipher. For more information refer to RFC 5246.

Issue/Introduction

SSL handshake fails during monitor probe. Disabling DES_CBC_SHA cipher on the back end server resolves the issue.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"