NetScaler to back-end SSL handshake failure on disabling SSL 3.0 on back-end (physical) servers.

Background 

SSL 3.0 was declared vulnerable and deprecated by a RFC (RFC 7568) published in June, 2015.  Subsequent to this, application server vendors such as Oracle offered solutions to not use SSL 3.0. When back-end server is configured not to use SSL 3.0 and its code is also completely removed, then the servers do not understand the client hello with SSL 3.0 in record layer and thus the SSL handshake fails. The server is not capable of processing RFC complaint SSL handshake from NetScaler. Disabling SSL 3.0 on NetScaler will ensure that client hello will contain the next higher SSL version in record layer.

Configure NetScaler not to use SSL 3.0 in record layer.

On SSL service/service group, disable SSL 3.0 in the SSL Parameters. Run the following command from NetScaler CLI:
> set ssl service <service name> -ssl3 DISABLED

OR

> set ssl servicegroup <service group name> -ssl3 DISABLED

On SSL Bridge, use the following nsapimgr knob (in shell) to disable the use of SSL 3.0 in record layer:
> shell nsapimgr ys monsslv3disable=1

On dynamically learnt services (used primarily in Gateway deployments), disable SSL 3.0 on default backend profile to disable the use of SSL 3.0 in record layer:
> set ssl profile ns_default_ssl_profile_backend -ssl3 DISABLED

If you are not using SSL Default Profiles, then please see the following link to know how to use them http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/ssl-profiles1.html.

Problem Cause

Some back-end servers configured not to use SSL 3.0 have issue handling RFC complaint SSL handshake request from NetScaler with record layer header version SSL 3.0 even if the handshake layer contains highest supported TLS 1.2.