ADC

ECDSA cipher suites support

ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.

The following Citrix ADC appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group:

  • Citrix ADC MPX and SDX appliances with N3 chips
  • Citrix ADC MPX 5900/8900/15000/26000
  • Citrix ADC SDX 8900/15000
  • Citrix ADC VPX appliances

When the ECDHE_ECDSA cipher group is used, the server’s certificate must contain an ECDSA-capable public key.

Note:From release 12.1 build 50.x, you can create an ECDSA key in PKCS#8 format.

Example:

sh ssl cipher ECDSA 1) Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA Priority : 1 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA1 HexCode=0xc00a 2) Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA Priority : 2 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA1 HexCode=0xc009 3) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384 Priority : 3 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA-384 HexCode=0xc024 4) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256 Priority : 4 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA-256 HexCode=0xc023 5) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 5 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc02c 6) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 6 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02b 7) Cipher Name: TLS1-ECDHE-ECDSA-DES-CBC3-SHA Priority : 7 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=3DES(168) Mac=SHA1 HexCode=0xc008 8) Cipher Name: TLS1-ECDHE-ECDSA-RC4-SHA Priority : 8 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=RC4(128) Mac=SHA1 HexCode=0xc007 9) Cipher Name: TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 Priority : 9 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD HexCode=0xcca9 Done 

The following table lists the ECDSA ciphers that are supported on the Citrix ADC MPX and SDX appliances with N3 chips, Citrix ADC VPX appliances, MPX 5900/26000, and MPX/SDX 8900/15000 appliances.

Cipher Name Priority Description Key Exchange Algorithm Authentication Algorithm Encryption Algorithm (Key Size) Message Authentication Code (MAC) Algorithm HexCode
TLS1-ECDHE-ECDSA-AES128-SHA 1 SSLv3 ECC-DHE ECDSA AES(128) SHA1 0xc009
TLS1-ECDHE-ECDSA-AES256-SHA 2 SSLv3 ECC-DHE ECDSA AES(256) SHA1 0xc00a
TLS1.2-ECDHE-ECDSA-AES128-SHA256 3 TLSv1.2 ECC-DHE ECDSA AES(128) SHA-256 0xc023
TLS1.2-ECDHE-ECDSA-AES256-SHA384 4 TLSv1.2 ECC-DHE ECDSA AES(256) SHA-384 0xc024
TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 5 TLSv1.2 ECC-DHE ECDSA AES-GCM(128) SHA-256 0xc02b
TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 6 TLSv1.2 ECC-DHE ECDSA AES-GCM(256) SHA-384 0xc02c
TLS1-ECDHE-ECDSA-RC4-SHA 7 SSLv3 ECC-DHE ECDSA RC4(128) SHA1 0xc007
TLS1-ECDHE-ECDSA-DES-CBC3-SHA 8 SSLv3 ECC-DHE ECDSA 3DES(168) SHA1 0xc008
TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 9 TLSv1.2 ECC-DHE ECDSA CHACHA20/POLY1305(256) AEAD 0xcca9

Important

Use theshow ns hardwarecommand to find out if your appliance has N3 chips.

Example:

sh ns hardware Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100 Manufactured on: 8/19/2013 CPU: 2900MHZ Host Id: 1006665862 Serial no: ENUK6298FT Encoded serial no: ENUK6298FT Done 

ECDSA/RSA cipher and certificate selection

You can bind both ECDSA and RSA server certificates at the same time to an SSL virtual server. When both ECDSA and RSA certificates are bound to the virtual server, it automatically selects the appropriate server certificate to present to the client. If the client cipher list includes RSA ciphers, but does not include ECDSA ciphers, the virtual server presents the RSA server certificate. If both ciphers are present in the client’s list, then the server certificate presented depends on the cipher priority set on the virtual server. That is, if RSA has a higher priority, the RSA certificate is presented. If ECDSA has a higher priority, the ECDSA certificate is presented to the client.

客户真实的ation by using an ECDSA or an RSA certificate

For client authentication, the CA certificate bound to the virtual server can be ECDSA or RSA signed. The appliance supports a mixed certificate chain. For example, the following certificate chain is supported.

Client certificate (ECDSA) <-> CA certificate (RSA) <-> Intermediate certificate (RSA) <-> Root certificate (RSA)

Note

ECDSA certificates with only the following curves are supported:

  • prime256v1
  • secp384r1
  • secp521r1 (VPX only)
  • secp224r1 (VPX only)

Create an ECDSA certificate-key pair

您可以创建一个ECDSA证书密钥对directly on a Citrix ADC appliance by using the CLI or the GUI. Earlier, you could install and bind an ECC certificate-key pair on the appliance, but you had to use OpenSSL to create a certificate-key pair.

Only P_256 and P_384 curves are supported.

Note

This support is available on all platforms except MPX 9700/1050/12500/15500.

To create an ECDSA certificate-key pair by using the CLI:

At the command prompt, type:

create ssl ecdsaKey  -curve ( P_256 | P_384 ) [-keyform ( DER | PEM )] [-des | -des3] {-password } [-pkcs8] 

Example:

create ecdsaKey ec_p256.ky -curve P_256 -pkcs8 Done create ecdsaKey ec_p384.ky -curve P_384 Done 

To create an ECDSA certificate-key pair by using the GUI:

  1. Navigate toTraffic Management>SSL>SSL Files>Keysand clickCreate ECDSA Key.
  2. To create a key in PKCS#8 format, selectPKCS8.
ECDSA cipher suites support