Configure SSL ciphers to securely access the Management Service
You can select SSL cipher suites from a list of SSL ciphers supported by Citrix ADC SDX appliances. Bind any combination of the SSL ciphers to access the SDX Management Service securely through HTTPS. An SDX appliance provides 37 predefined cipher groups, which are combinations of similar ciphers, and you can create custom cipher groups from the list of supported SSL ciphers.
Limitations
- Binding ciphers with key exchange = “DH” or “ECC-DHE” is not supported.
- Binding the ciphers with Authentication = “DSS” is not supported.
- 绑定密码不支持的一部分SSL ciphers list, or including these ciphers in a custom cipher group, is not supported.
Supported SSL Ciphers
The following table lists the supported SSL ciphers. The value in theProtocolcolumn is the lowest supported protocol. For example, if SSLv3 is listed, then SSLv3/TLSv1/TLSv1.1/TLSv1.2 are all supported.
Citrix Cipher Name | OpenSSL CipherName | Hex Code | Protocol | Key Exchange Algorithm | Authentication Algorithm | Message Authentication Code (MAC) Algorithm |
---|---|---|---|---|---|---|
TLS1-AES-256-CBC-SHA | AES256-SHA | 0x0035 | SSLv3 | RSA | RSA | AES(256) |
TLS1-AES-128-CBC-SHA | AES128-SHA | 0x002F | SSLv3 | RSA | RSA | AES(128) |
TLS1.2-AES-256-SHA256 | AES256-SHA256 | 0x003D | TLSv1.2 | RSA | RSA | AES(256) |
TLS1.2-AES-128-SHA256 | AES128-SHA256 | 0x003C | TLSv1.2 | RSA | RSA | AES(128) |
TLS1.2-AES256-GCM-SHA384 | AES256-GCM-SHA384 | 0x009D | TLSv1.2 | RSA | RSA | AES-GCM(256) |
TLS1.2-AES128-GCM-SHA256 | AES128-GCM-SHA256 | 0 x009c | TLSv1.2 | RSA | RSA | AES-GCM(128) |
TLS1-ECDHE-RSA-AES256-SHA | ECDHE-RSA-AES256-SHA | 0xC014 | SSLv3 | ECC-DHE | RSA | AES(256) |
TLS1-ECDHE-RSA-AES128-SHA | ECDHE-RSA-AES128-SHA | 0xC013 | SSLv3 | ECC-DHE | RSA | AES(128) |
TLS1.2-ECDHE-RSA-AES-256-SHA384 | ECDHE-RSA-AES256-SHA384 | 0xC028 | TLSv1.2 | ECC-DHE | RSA | AES(256) |
TLS1.2-ECDHE-RSA-AES-128-SHA256 | ECDHE-RSA-AES128-SHA256 | 0xC027 | TLSv1.2 | ECC-DHE | RSA | AES(128) |
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | 0xC030 | TLSv1.2 | ECC-DHE | RSA | AES-GCM(256) |
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | 0xC02F | TLSv1.2 | ECC-DHE | RSA | AES-GCM(128) |
TLS1.2-DHE-RSA-AES-256-SHA256 | DHE-RSA-AES256-SHA256 | 0x006B | TLSv1.2 | DH | RSA | AES(256) |
TLS1.2-DHE-RSA-AES-128-SHA256 | DHE-RSA-AES128-SHA256 | 0x0067 | TLSv1.2 | DH | RSA | AES(128) |
TLS1.2-DHE-RSA-AES256-GCM-SHA384 | DHE-RSA-AES256-GCM-SHA384 | 0x009F | TLSv1.2 | DH | RSA | AES-GCM(256) |
TLS1.2-DHE-RSA-AES128-GCM-SHA256 | DHE-RSA-AES128-GCM-SHA256 | 0x009E | TLSv1.2 | DH | RSA | AES-GCM(128) |
TLS1-DHE-RSA-AES-256-CBC-SHA | DHE-RSA-AES256-SHA | 0x0039 | SSLv3 | DH | RSA | AES(256) |
TLS1-DHE-RSA-AES-128-CBC-SHA | DHE-RSA-AES128-SHA | 0x0033 | SSLv3 | DH | RSA | AES(128) |
tls1 -她- dss - aes - 256 - cbc -沙 | DHE-DSS-AES256-SHA | 0x0038 | SSLv3 | DH | DSS | AES(256) |
TLS1-DHE-DSS-AES-128-CBC-SHA | DHE-DSS-AES128-SHA | 0x0032 | SSLv3 | DH | DSS | AES(128) |
TLS1-ECDHE-RSA-DES-CBC3-SHA | ECDHE-RSA-DES-CBC3-SHA | 0xC012 | SSLv3 | ECC-DHE | RSA | 3DES(168) |
SSL3-EDH-RSA-DES-CBC3-SHA | EDH-RSA-DES-CBC3-SHA | 0x0016 | SSLv3 | DH | RSA | 3DES(168) |
SSL3-EDH-DSS-DES-CBC3-SHA | EDH-DSS-DES-CBC3-SHA | 0x0013 | SSLv3 | DH | DSS | 3DES(168) |
TLS1-ECDHE-RSA-RC4-SHA | ECDHE-RSA-RC4-SHA | 0xC011 | SSLv3 | ECC-DHE | RSA | RC4(128) |
SSL3-DES-CBC3-SHA | DES-CBC3-SHA | 0x000A | SSLv3 | RSA | RSA | 3DES(168) |
SSL3-RC4-SHA | RC4-SHA | 0x0005 | SSLv3 | RSA | RSA | RC4(128) |
SSL3-RC4-MD5 | RC4-MD5 | 0x0004 | SSLv3 | RSA | RSA | RC4(128) |
SSL3-DES-CBC-SHA | DES-CBC-SHA | 0x0009 | SSLv3 | RSA | RSA | DES(56) |
SSL3-EXP-RC4-MD5 | EXP-RC4-MD5 | 0x0003 | SSLv3 | RSA(512) | RSA | RC4(40) |
SSL3-EXP-DES-CBC-SHA | EXP-DES-CBC-SHA | 0x0008 | SSLv3 | RSA(512) | RSA | DES(40) |
SSL3-EXP-RC2-CBC-MD5 | EXP-RC2-CBC-MD5 | 0x0006 | SSLv3 | RSA(512) | RSA | RC2(40) |
SSL2-DES-CBC-MD5 | DHE-DSS-AES128-SHA256 | 0x0040 | SSLv2 | RSA | RSA | DES(56) |
SSL3-EDH-DSS-DES-CBC-SHA | EDH-DSS-DES-CBC-SHA | 0x0012 | SSLv3 | DH | DSS | DES(56) |
SSL3-EXP-EDH-DSS-DES-CBC-SHA | EXP-EDH-DSS-DES-CBC-SHA | 0x0011 | SSLv3 | DH(512) | DSS | DES(40) |
SSL3-EDH-RSA-DES-CBC-SHA | EDH-RSA-DES-CBC-SHA | 0x0015 | SSLv3 | DH | RSA | DES(56) |
SSL3-EXP-EDH-RSA-DES-CBC-SHA | EXP-EDH-RSA-DES-CBC-SHA | 0x0014 | SSLv3 | DH(512) | RSA | DES(40) |
SSL3-ADH-RC4-MD5 | ADH-RC4-MD5 | 0x0018 | SSLv3 | DH | None | RC4(128) |
SSL3-ADH-DES-CBC3-SHA | ADH-DES-CBC3-SHA | 0x001B | SSLv3 | DH | None | 3DES(168) |
SSL3-ADH-DES-CBC-SHA | ADH-DES-CBC-SHA | 0x001A | SSLv3 | DH | None | DES(56) |
TLS1-ADH-AES-128-CBC-SHA | ADH-AES128-SHA | 0x0034 | SSLv3 | DH | None | AES(128) |
TLS1-ADH-AES-256-CBC-SHA | ADH-AES256-SHA | 0x003A | SSLv3 | DH | None | AES(256) |
SSL3-EXP-ADH-RC4-MD5 | EXP-ADH-RC4-MD5 | 0x0017 | SSLv3 | DH(512) | None | RC4(40) |
SSL3-EXP-ADH-DES-CBC-SHA | EXP-ADH-DES-CBC-SHA | 0x0019 | SSLv3 | DH(512) | None | DES(40) |
SSL3-NULL-MD5 | NULL-MD5 | 0x0001 | SSLv3 | RSA | RSA | None |
SSL3-NULL-SHA | NULL-SHA | 0x0002 | SSLv3 | RSA | RSA | None |
Predefined cipher groups
The following table lists the predefined cipher groups provided by the SDX appliance.
Cipher Group Name | Description |
---|---|
ALL | All ciphers supported by the SDX appliance, excluding NULL ciphers |
DEFAULT | Default cipher list with encryption strength >= 128bit |
kRSA | Ciphers with Key-ex algo as RSA |
kEDH | Ciphers with Key-ex algo as Ephemeral-DH |
DH | Ciphers with Key-ex algo as DH |
EDH | Ciphers with Key-ex/Auth algo as DH |
aRSA | Ciphers with Auth algo as RSA |
aDSS | Ciphers with Auth algo as DSS |
aNULL | Ciphers with Auth algo as NULL |
DSS | Ciphers with Auth algo as DSS |
DES | Ciphers with Enc algo as DES |
3DES | Ciphers with Enc algo as 3DES |
RC4 | Ciphers with Enc algo as RC4 |
RC2 | Ciphers with Enc algo as RC2 |
NULL | Ciphers with Enc algo as NULL |
MD5 | Ciphers with MAC algo as MD5 |
SHA1 | Ciphers with MAC algo as SHA-1 |
SHA | Ciphers with MAC algo as SHA |
NULL | Ciphers with Enc algo as NULL |
RSA | Ciphers with Key-ex/Auth algo as RSA |
ADH | Ciphers with Key-ex algo as DH and Auth algo as NULL |
SSLv2 | SSLv2 protocol ciphers |
SSLv3 | SSLv3 protocol ciphers |
TLSv1 | SSLv3/TLSv1 protocol ciphers |
TLSv1_ONLY | TLSv1 protocol ciphers |
EXP | Export ciphers |
EXPORT | Export ciphers |
EXPORT40 | Export ciphers with 40bit encryption |
EXPORT56 | Export ciphers with 56bit encryption |
LOW | Low strength ciphers (56bit encryption) |
MEDIUM | Medium strength ciphers (128bit encryption) |
HIGH | High strength ciphers (168bit encryption) |
AES | AES Ciphers |
FIPS | FIPS Approved Ciphers |
ECDHE | Elliptic Curve Ephemeral DH Ciphers |
AES-GCM | Ciphers with Enc algo as AES-GCM |
SHA2 | 密码与SHA-2 MAC算法 |
View the predefined cipher groups
查看predefined cipher groups, on theConfigurationtab, in the navigation pane, expandManagement Service, and then clickCipher Groups.
Create custom cipher groups
You can create custom cipher groups from the list of supported SSL ciphers.
To create custom cipher groups:
- On theConfigurationtab, in the navigation pane, expandManagement Service, and then clickCipher Groups.
- In theCipher Groupspane, clickAdd.
- In theCreate Cipher Groupdialog box, perform the following:
- In theGroup Namefield, enter a name for the custom cipher group.
- In theCipher Group Descriptionfield, enter a brief description of the custom cipher group.
- In theCipher Suitessection, clickAddand select the ciphers to include in the list of supported SSL ciphers.
- ClickCreate.
View existing SSL cipher bindings
查看existing cipher bindings, on theConfigurationtab, in the navigation pane, expandSystem, and then clickConfigure SSL SettingsunderSystem Settings.
Note:After upgrade to the latest version of the Management Service, the list of existing cipher suites shows the OpenSSL names. Once you bind the ciphers from the upgraded Management Service, the display uses the Citrix naming convention.
Bind ciphers to the HTTPS service
- On theConfigurationtab, in the navigation pane, clickSystem.
- In theSystempane, under System Settings, clickConfigure SSL Settings.
- In theEdit Settingspane, clickCiphers Suites.
- In theCiphers Suitespane, do either of the following:
- To choose a cipher group from the predefined cipher groups, selectCipher Groups, select a cipher group from theCipher Groupslist, and then clickOK.
- To choose from the list of supported ciphers, select theCipher Suitescheck box, clickAddto select the ciphers, and then clickOK.