What new SSL features are included in NetScaler 12.0 56.20?

ECC for VPX backend

NetScaler VPX now includes support for Elliptic Curve Cryptography on backend connections. This allows the NetScaler to support ECC connections to backend servers:

ECDHE Cipher Enhancement on VPX Backend

ECDHE ciphers are now supported on VPX backend.

• ECDHE suites can give improved performance and better security.
• RFC 4492 allows ECDHE ciphers to be used with TLS1.0, TLS1.1, and TLS1.2.
• The new set of ciphers supported on VPX backend are:

4K server cert and DHE for VPX backend

NetScaler VPX now supports backend cert key sizes up to 4K, including DHE:

ChaCha20-Poly1305 Support on VPX and CPX

ChaCha20-Poly1305 is a new Authenticated Encryption with Associated Data (AEAD) cipher in TLS (RFC 7905).

• ChaCha20 - Stream Cipher - 96 bit Nonce and 256 bit Key
• Poly1305 - Authenticator - 256 bit 'One-time' Key
• Both primitives designed for higher performance when done in Software (CPU)

Benefits/Use Cases

• Better Performance/Faster Encryption
  • On devices that don't have specialized AES acceleration (AES-NI on x86)
  • e.g. Non x86 platforms e.g. Android devices, Wearable etc. with ARM processots. Improves User experience, battery life etc.
• Better Security
  • Reduces side-channel attacks (by design) such as Lucky13 (CBC-Mode) or attacks on other stream ciphers such as RC4 stram cipher
• Wide deployment on various Clients
  • Chrome browsers on Android devices moved to TLS1.2 + ChaCha=Poly in 2014.

DTLS BE for MPX and VPX

DTLS for backend (i.e. DTLS client on NS) is now supported. This requirement is currently for "Double hop for framehawk and UDP audio" feature of NetScaler Gateway.

• Use Case: VDA solution to provide secure access to Desktop in StoreFront via end-to-end DTLS.
• It is similar to TLS except works on UDP instead of TCP
• 3 supported ciphers: 
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Hybrid ECC on 14xxx MPX-FIPS platform - Hybrid-ECC feature is now available on the N3-FIPS platform (ECDHE-RSA2K)

• Hybrid ECDH Approach (CPU + Card processing)
• Offload ECC operations to software/CPU (to configured CPU quota)
• Additional ECC operations done on card
• RSA Operations done on card
• Hybrid ECC Feature - Disabled by default
• Enable by configuring "Software Crypto acceleration CPU threshold" SSL Parameter
• E.g. "set ssl parameter -softwareCryptoThreshold 90"

New DoD CA chain support

The appliance now supports the new Department of Defense CA chain, used with CAC smart card authentication.

SSL Certificate Classification

When installing a certificate-key pair, the NetScaler is able to determine which certificate type/s these certificates should be classified as. Any certificate (whether it be Server, Client, Root, or Intermediate) that is installed with a private key can be classified and bound to a virtual server or service as both a server and client certificate. This means that the NetScaler is now able to classify certificates as more than one type.

Unknown Certificates bucket in the GUI - a new GUI enhancement allows users to see certificate-key pairs that could not be classified as Server, Client, Root, or Intermediate. These are classified as Unidentified in the CLI and can be seen in the Unknown Certificates bucket through the GUI:

CTX230564 - How does the NetScaler classify certificates as Server, Client, Root, Intermediate, or Unknown in 12.0 build?