How Do I Remove Legacy Ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler?

How Do I Remove Legacy Ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler?

book

Article ID: CTX205480

calendar_today

Updated On:

Description

This article describes how to remove legacy ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler.

Use case

  • Ramesh wishes to interact in a secure fashion (some arbitrary, some known) free from any security attack through a web browser. Recent attacks on weaker ciphers in SSL layer has rendered them useless and thus Ramesh wants to ensure that he is not using the weak ciphers.
  • Banking.com wishes to host webservers to be used by people like Ramesh in a secure fashion free from any security threat.

Background

Secure transfer of data between the client and server is facilitated by Transport Layer Security(TLS)  and its predecessor  Secure Socket Layer(SSL). They are not just used by websites that use HTTP protocol, but also is utilized by wide variety of services.  Some of the services include e-mail, Chat applications, FTP applications and Virtual Private Networks (VPN). 

Choice of ciphers used has become critical as they ensure safety of data exchanged between client and server. Making a mistake in choosing ciphers would bring in a false sense of security. Intruders can successfully decrypt or gain access to sensitive information when choice of ciphers used for secure communication includes outdated ciphers which are prone to different kind of attacks.

Key points to be considered while securing SSL layer,

  • SSL 2.0 and SSL 3.0 should be disabled
  • Weak ciphers like DES, 3DES, RC4 or MD5 should not be used

Instructions

This article is divided into the following sections:

Remove Legacy Ciphers that Use SSL3, DES, 3DES, MD5 and RC4

Legacy ciphers that use SSL3, DES, 3DES, MD5 and RC4 can be removed from NetScaler by two ways. They can either be removed from cipher group or they can be removed from SSL profile.

Back to Top

Remove Legacy Ciphers SSL3, DES, 3DES, MD5 and RC4 from cipher group

Complete the following steps to remove SSL3, DES, 3DES, MD5 and RC4:

  1. Configuration tab > Traffic Management > SSL > Cipher Groups.

    User-added image

  2. Select DEFAULT cipher groups > click Add.

    User-added image

    Edit the Cipher Group Name to anything else but “Default”

    Check the below list for SSL3, DES, 3DES, MD5 and RC4 ciphers and remove them from the group.

    User-added image

  3. Click create. You will have a list of ciphers from default cipher group without legacy ciphers.

Back to Top

Remove Legacy Ciphers SSL3, DES, 3DES, MD5 and RC4 from SSL Profile

  1. Configuration tab > System > Profiles > SSL Profle Tab > <profile name to be modified> > Edit.

    User-added image

  2. Select SSL Ciphers > Add > Select Cipher > uncheck SSL3, DES, MD5, RC4 Ciphers > Move the selected ones under configured.

    User-added image

  3. After moving list of Ciphers to Configured, select OK and save the configuration.

    User-added image

    After the above mentioned steps, SSL profile will not have any legacy ciphers.

Back to Top

Disable SSL2.0 and SSL3.0 on NetScaler

You will have to disable to SSL2.0 and SSL3.0 on NetScaler virtual server, SNIP and NetScaler management interface to completely disable SSL2.0 and SSL3.0 on NetScaler.

Back to Top

Disable SSL 3.0/2.0 on a vserver

The below mentioned command will disable SSL 3.0/SSL2.0 on a vserver
> set ssl vserver vpn -ssl3 DISABLED
> set ssl vserver vpn –ssl2 DISABLED

Back to Top

Disable SSL 3.0/2.0 on SNIP

To disable SSL 3.0/2.0 for a SNIP, internal services on the IP should be identified using following command
>show service –internal | grep <IP> 

Internal services resides inside NetScaler and takes action on behalf of NetScaler. For example an internal service, nshttps-<SNIP IP Address>-443 services SSL connections for the SNIP on NetScaler.

Using the internal service name on the IP, SSL 3.0/2.0 can be disabled using the following command:
set ssl service <internal service name for that ip> -ssl3 disabled
set ssl service <internal service name for that ip> -ssl2 disabled

User-added image

Back to Top

Disable SSL 3.0/2.0 on NetScaler Management Interface

“nshttps-127.0.0.1-443” is the service running on NetScaler Management Interface.
>show service –internal | grep nshttps-127.0.0.1-443

User-added image

Using the the following commands, SSL2.0 SSL3.0 can be disabled on older versions of ADC. Replace NSIP in the last command with the NSIP of the device. However if you receive "Warning: Operation not permitted. Use set ssl profile for setting these parameters" then follow the alternate commands:
>set ssl service nshttps-127.0.0.1-443 –ssl2 DISABLED
>set ssl service nshttps-127.0.0.1-443 –ssl3 DISABLED
>set ssl service nshttps-NSIP-443 –ssl3 DISABLED

Alternate commands:
>add ssl profile no_SSL3_TLS1 -ssl3 DISABLED -tls1 DISABLED
>set ssl service nshttps-127.0.0.1-443 -sslprofile no_SSL3_TLS1
>set ssl service nshttps-NSIP-443 -sslProfile no_SSL3_TLS1
 

Back to Top

Issue/Introduction

This article describes how to remove legacy ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler.
Powered by Wolken Software