Configure user-defined cipher groups on the ADC appliance

A cipher group is a set of cipher suites that you bind to an SSL virtual server, service, or service group on the Citrix ADC appliance. A cipher suite comprises a protocol, a key exchange (Kx) algorithm, an authentication (非盟) algorithm, an encryption (Enc) algorithm, and a message authentication code (Mac) algorithm. Your appliance ships with a predefined set of cipher groups. When you create an SSL service or SSL service group, the ALL cipher group is automatically bound to it. However, when you create an SSL virtual server or a transparent SSL service, the DEFAULT cipher group is automatically bound to it. In addition, you can create a user-defined cipher group and bind it to an SSL virtual server, service, or service group.

Note:If your MPX appliance does not have any licenses, then only the EXPORT cipher is bound to your SSL virtual server, service, or service group.

要创建一个用户定义的密码组,首先你create a cipher group and then you bind ciphers or cipher groups to this group. If you specify a cipher alias or a cipher group, all the ciphers in the cipher alias or group are added to the user-defined cipher group. You can also add individual ciphers (cipher suites) to a user-defined group. However, you cannot modify a predefined cipher group. Before removing a cipher group, unbind all the cipher suites in the group.

Binding a cipher group to an SSL virtual server, service, or service group, appends the ciphers to the existing ciphers that are bound to the entity. To bind a specific cipher group to the entity, you must first unbind the ciphers or cipher group that is bound to the entity. Then bind the specific cipher group to the entity. For example, to bind only the AES cipher group to an SSL service, you perform the following steps:

1. Unbind the default cipher group ALL that is bound by default to the service when the service is created.

   unbind ssl service  -cipherName ALL 

2. Bind the AES cipher group to the service

   bind ssl service  -cipherName AE 

   If you want to bind the cipher group DES in addition to AES, at the command prompt, type:

   bind ssl service  -cipherName DES 

Note:The free Citrix ADC virtual appliance supports only the DH cipher group.

Configure a user-defined cipher group by using the CLI

At the command prompt, type the following commands to add a cipher group, or to add ciphers to a previously created group, and verify the settings:

添加ssl密码< cipherGroupName > ssl cipher <绑定cipherGroupName> -cipherName  show ssl cipher  

Example:

add ssl cipher test Done bind ssl cipher test -cipherName ECDHE Done sh ssl cipher test 1) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA Priority : 1 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA1 HexCode=0xc014 2) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA Priority : 2 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA1 HexCode=0xc013 3) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384 Priority : 3 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384 HexCode=0xc028 4) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256 Priority : 4 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256 HexCode=0xc027 5) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 5 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc030 6) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 6 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02f 7) Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA Priority : 7 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA1 HexCode=0xc00a 8) Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA Priority : 8 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA1 HexCode=0xc009 9) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384 Priority : 9 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA-384 HexCode=0xc024 10) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256 Priority : 10 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA-256 HexCode=0xc023 11) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 11 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc02c 12) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 12 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02b 13) Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA Priority : 13 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=3DES(168) Mac=SHA1 HexCode=0xc012 14) Cipher Name: TLS1-ECDHE-ECDSA-DES-CBC3-SHA Priority : 14 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=3DES(168) Mac=SHA1 HexCode=0xc008 15) Cipher Name: TLS1-ECDHE-RSA-RC4-SHA Priority : 15 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=RC4(128) Mac=SHA1 HexCode=0xc011 16) Cipher Name: TLS1-ECDHE-ECDSA-RC4-SHA Priority : 16 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=RC4(128) Mac=SHA1 HexCode=0xc007 17) Cipher Name: TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 Priority : 17 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD HexCode=0xcca8 18) Cipher Name: TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 Priority : 18 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD HexCode=0xcca9 Done 

Unbind ciphers from a cipher group by using the CLI

At the command prompt, type the following commands to unbind ciphers from a user-defined cipher group, and verify the settings:

show ssl cipher  unbind ssl cipher  -cipherName  show ssl cipher  

Remove a cipher group by using the CLI

Note:You cannot remove a built-in cipher group. Before removing a user-defined cipher group, make sure that the cipher group is empty.

At the command prompt, type the following commands to remove a user-defined cipher group, and verify the configuration:

rm ssl cipher  [ ...] show ssl cipher  

Example:

rm ssl cipher test Done sh ssl cipher test ERROR: No such resource [cipherGroupName, test] 

Configure a user-defined cipher group by using the GUI

Navigate toTraffic Management > SSL > Cipher Groups, and configure a cipher group.

To bind a cipher group to an SSL virtual server, service, or service group by using the CLI:

At the command prompt, type one of the following:

结合ssl vserver  -cipherName  bind ssl service  -cipherName  bind ssl serviceGroup  -cipherName  

Example:

结合ssl vserver ssl_vserver_test -cipherName test Done bind ssl service nshttps -cipherName test Done bind ssl servicegroup ssl_svc -cipherName test Done 

To bind a cipher group to an SSL virtual server, service, or service group by using the GUI:

1. Navigate toTraffic Management > Load Balancing > Virtual Servers.

   For service, replace virtual servers with services. For service groups, replace virtual servers with service groups.

   Open the virtual server, service, or service group.

2. InAdvanced Settings中,选择SSL Ciphers.

3. Bind a cipher group to the virtual server, service, or service group.

Binding individual ciphers to an SSL virtual server or service

You can also bind individual ciphers, instead of a cipher group, to a virtual server or service.

To bind a cipher by using the CLI:At the command prompt, type:

结合ssl vserver  -cipherName  bind ssl service  -cipherName  

Example:

结合ssl vserver v1 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Done bind ssl service sslsvc -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Done 

To bind a cipher to an SSL virtual server by using the GUI:

1. Navigate toTraffic Management > Load Balancing > Virtual Servers.
2. Select an SSL virtual server and clickEdit.
3. InAdvanced Settings中,选择SSL Ciphers.
4. InCipher Suites中,选择Add.
5. Search for the cipher in the available list and click the arrow to add it to the configured list.
6. ClickOK.
7. ClickDone.

To bind a cipher to an SSL service, repeat the preceding steps after replacing virtual server with service.