In order to ensure a high level of security we need to properly configure the SSL settings on NetScaler. Over the last couple of years there have been many known vulnerabilities in the SSL protocol that could allow for man-in-the-middle attacks. These included for instance Heartbleed, Beast, and so on.
But with the growing list of known vulnerabilities, it might be difficult to get an overview in order to ensure that our services are properly configured for the highest level of security.
Ssllabs.com (https://www.ssllabs.com/) offers a free service that allows us to test our external web services for SSL configuration. It tests all of the known vulnerabilities in the SSL/TLS protocol, and also tests different ciphers and the certificate.
So a good best practice is to configure our SSL settings to get an A+ score on the ssllabs test. In order to get A+ we need to do some changes to the default SSL settings:
Let us start by disabling SSL 3 and enabling TLS 1.2. Up until v11, the VPX could not support TLS 1.1 or 1.2 but now it can. There are two ways to enable/disable the different protocols: either using SSL profiles or defining SSL parameters on vServer.
Using SSL profiles allows us to more easily create a profile for frontend/backend services, which was covered in the previous chapter, while SSL parameters are only available on the individual vServer.
In the SSL Profile we should:
NONSECURE
Next we need to create a SSL cipher list with different options, which is easiest done using CLI. This first example is aimed at MPX:
add ssl cipher cipher-list-mpx bind ssl cipher cipher-list-mpx -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 bind ssl cipher cipher-list-mpx -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 bind ssl cipher cipher-list-mpx -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 bind ssl cipher cipher-list-mpx -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 bind ssl cipher cipher-list-mpx -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher cipher-list-mpx -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher cipher-list-mpx -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 bind ssl cipher cipher-list-mpx -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 bind ssl cipher cipher-list-mpx -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher cipher-list-mpx -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher cipher-list-mpx -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher cipher-list-mpx -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher cipher-list-mpx -cipherName SSL3-DES-CBC3-SHA
The second example is aimed at VPX instances, version 11:
add ssl cipher vpx11 bind ssl cipher vpx11 -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher vpx11 -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher vpx11 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher vpx11 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher vpx11 -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher vpx11 -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher vpx11 -cipherName SSL3-DES-CBC3-SHA
Now, when we need to configure this on a SSL server, we need to add the SSL profile and the unique cipher list that we created, as shown in the next screenshot:
The last piece of the puzzle is to implement Enable HTTP Strict Transport Security. HTST is a novel protocol complement to HTTPS that allows a website owner to make https the only method that the browser may use for accessing the site. Also, it enforces certificate integrity.
The way to enable this is by using a rewrite policy. Create a new rewrite action with the following values:
Namefortheaction
INSERT_HTTP_HEADER
Strict-Transport-Security
""max-age=157680000""
Next we create a rewrite policy that binds the action to a policy. The important part here is that we use the expression TRUE
, which indicates that all traffic should have this rewrite policy enabled.
After we have created the policy we need to bind it to the vServer we want to have it enabled for.