There are various security scanning products (freeware and commercial) which test the strength of SSL ciphers used by a NetScaler for SSL-offloading. In some cases these scanners might provide false positives for weak ciphers being allowed.

By default, an SSL-offloading virtual server (vServer) uses the DEFAULT cipher group, which includes only 128-bit and higher ciphers. However, when these vServers are scanned using some security software, a false positive for weak or export ciphers might occur.

Typically in the SSL/TLS handshake negotiation, the client sends (or vServer) a list of supported ciphers in the Client-Hello to the server. To force detection for a weak cipher, a scanner simply limits this list to a single cipher, or set of low-strength ciphers. If the server (or NetScaler) agrees to use this cipher as part of the Server-Hello, the scanner declares that the cipher is supported. When using the DEFAULT cipher group, some scanners report that the NetScaler has agreed to use a weak or export-level cipher.

With the NetScaler, this typically occurs because the cipherRedirect option is enabled by default. This option allows the administrator to redirect clients to an error page when the ciphers offered by the client are of insufficient strength (or not allowed). This error page could also be an apology page, or list of instructions on increasing client-side security. Administrators can configure the URL to redirect clients with the URL suboption of cipherRedirect.

To redirect clients to this error page, the NetScaler must first complete the SSL handshake. This means agreeing to use the low-end cipher so that the redirection can occur.

If the URL component of cipherRedirect is left blank (or default), the NetScaler responds directly to the client with an error code of 500 – Internal Server Error. The following is the actual text of the error:

HTTP/1.1 500 Internal Server Error\r\n
Connection: close\r\n
Content-Length: 510\r\n
Content-Type: text/html\r\n
\r\n
< html><body><b>SSL Alert</b><p>The browser and the web-site cannot communicate securely because there are no common encryption algorithms.</p><p>Please try the following:</p><p>- Check the SSL protocol settings on the browser for SSLv3/TLSv1 protocol support.</p><p>- The secure web-site may be using high-strength encryption algorithms(128 bit).<br>  Check the SSL settings on your browser, if it supports high-strength encryption algorithms.</p><p>- Upgrade your browser to latest version.</p></body></html>

At no time is actual data from the vServer passed to the client. Some high-end security scanners first test the connection using a high-end cipher to gather a snapshot of the web page. This snapshot is later compared against a session using low-end ciphers to validate the security warning.