Tech Paper: Networking SSL / TLS Best Practices
Overview
This Tech Paper aims to convey what someone skilled in ADC would configure as a generic implementation to receive an A+ grade atQualys SSL Labs.
Qualys SSL Labs performs a robust series of tests and provides a scorecard that you can use to improve your configuration. The scan is free and only takes about a minute to complete.
Qualys actively develops SSL Labs. Tests are likely to change as new protocols are created and vulnerabilities found. It is good practice to test sites regularly to make sure that any new vulnerabilities are not exposed.
Note:说话哟ur security team about your deployment. Security experts say SSL Labs A+ is a good general target, but it may not fit the needs of your organization.
Configuration Items that Need to be Validated
- Certificates- Is the full chain provided and trusted? Is the signature algorithm secure?
- Protocols, Keys and Cipher Support- Which SSL and TLS protocol versions are supported? Which cipher suites are preferred and in what order? Do the provided cipher suites support forward secrecy?
- TLS Handshake Simulation- Determines which protocol and cipher are negotiated by several different clients and browsers
- Protocol Details- Is Secure Renegotiation supported? Is strict transport security (HSTS) supported?
- Known Vulnerabilities- Is the server vulnerable to attacks such as POODLE, BEAST, or TLS downgrade?
Once SSL Labs completes testing, it presents a letter grade along with a point scale for each of 4 categories:
1 Certificate
2 Protocol Support
3 Key Exchange
4 Cipher Strength
Each of the categories receives a numerical score that SSL Labs then averages into a total. Some special cases and configurations that SSL Labs recommends against, such as having SSLv3 enabled, can limit your final grade. You can find complete documentation on how SSL Labs grades servershere.
Implementation Concerns
SSL Profiles
This article uses SSL Profiles. When first enabled, SSL Profiles setsallSSL virtual servers to use the default profile.
SSL profiles take precedence over global and per virtual server SSL parameters.
Client support
Some of the configuration steps in this article can cause connectivity issues with old clients and browsers. For example, Internet Explorer 11 on Windows 7 and 8.1 only supports older cipher suites and, other older browsers may lack support for TLS1.2 and ECC ciphers entirely. In cases where support is missing, the client can experience error messages and an inability to display the site.
SSL Labs have a “Test your browser” button on its front page to help determine your needs.
Citrix Receiver/Workspace app Cipher Support for Gateway deployments
Review the following articles regarding client cipher support when deploying a gateway virtual server for virtual apps and desktops:
Note:See theFirmware Notessection for required builds and other notes regarding specific ADC firmware
Basic Steps - GUI
Take the following steps to ensure a high score on the SSL Labs test.
Ensure that the ADC is running a recent firmware release - 13.0 build 71 or later is recommended to take advantage of TLS1.3 hardware acceleration
Ensure that the certificate chain is complete and trusted
- Root CAs do not always directly sign certificates. Instead, a root CA often uses an intermediary to sign a certificate
- Install the intermediate certificate on the ADC. Link it to the server certificate you bound to the virtual server
- Intermediate certificates are provided by the vendor that provides the server certificate, often in a ‘certificate bundle’. They can usually be found on the vendor’s public site
- You may need to install and link multiple intermediate certificates. For the server certificate to function, the ADC must send a complete chain. A complete chain ends with a certificate signed by one of the client’s trusted root CAs
- As the client already has the trusted root CA, you don’t need to install and link it on the ADC
- To install an intermediate certificate, go to:Traffic Management > SSL > Certificates > CA Certificatesand chooseInstall(Note:早期的构建s of Citrix ADC do not have the ‘CA Certificates’ option in the GUI)
- Link an intermediate by selecting the certificate and choosinglinkfrom the action menu
- If the correct intermediate certificate is installed, it is automatically populated in the linking menu
- Create a custom cipher group that provides Forward Secrecy (FS)
- Go toTraffic Management > SSL > Cipher Groupsand chooseAdd
- Name the cipher group “SSL_Labs_Cipher_Group_Q4_2021”
- ClickAddthen expand theALLsection - select the following cipher suites:
- TLS1.3-AES256-GCM-SHA384
- TLS1.3-AES128-GCM-SHA256
- TLS1.3-CHACHA20-POLY1305-SHA256
- TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
- TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
- TLS1.2-ECDHE-ECDSA-AES256-SHA384
- TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
- Click the>right arrow to move the ciphers from theAvailablecolumn to theConfiguredcolumn
- ClickCreate
- Enable SSL Profiles
Navigate toTraffic Management > SSL > Change advanced SSL settings, scroll down, and selectEnable Default Profile.
SSL Profiles setsallSSL virtual servers to use the default profile when first enabled. As existing per virtual server SSL settings are removed, the ADC will prompt you to confirm.
- Create an SSL Profile
- Navigate toSystem > Profiles > SSL Profile, and selectAdd
- Name the profile “SSL_Labs_Profile_Q4_2021”
- Scroll toDeny SSL Renegotiationand selectNONSECUREto allow only clients that support RFC 5746 to renegotiate
- Scroll toHSTS, tickHSTS, and specify aMax Ageof 157680000 seconds
- Scroll toProtocoland select only TLSv12 and TLSv13
- Scroll to the end of the form and selectOK
- Scroll toSSL Ciphers, select the pencil icon to edit, then clickRemove All
- ClickAddand add the cipher group we created earlier
- Scroll to the end of the form and selectDone
- Navigate toSystem > Profiles > SSL Profile, and selectAdd
- Bind the SSL Profile to the SSL virtual server
- On the selected virtual server, select the pencil icon to edit the boundSSL Profile
- Select the SSL Profile we created from the drop-down list
- Click OK
Basic Steps - CLI
Take the following steps to ensure a high score on the SSL Labs test.
In the CLI examples below, the name of the SSL virtual server is listed asEx-vServer- it can be replaced with the name of the SSL virtual server in your environment.
- Create a custom cipher group that prefers ECDHE and ECDSA cipher suites
添加ssl密码SSL_Labs_Cipher_Group_Q4_2021绑定ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES256-GCM-SHA384 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-AES128-GCM-SHA256 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 - Enable SSL Profiles
set ssl parameter -defaultProfile ENABLED - Create an SSL Profile
add ssl profile SSL_Labs_Profile_Q4_2021 -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED -denySSLReneg NONSECURE - Unbind the default cipher group from the SSL Profile and bind the custom group
unbind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName DEFAULT bind ssl profile SSL_Labs_Profile_Q4_2021 -cipherName SSL_Labs_Cipher_Group_Q4_2021 - Bind the SSL Profile to the SSL virtual server
set ssl vserver "Ex-vServer" -sslProfile SSL_Labs_Profile_Q4_2021 More Settings
SHA1 Certificates
Certificates that are signed with SHA1 are considered weak, and prevents a high grade in the SSL Labs test. If any certificates are SHA1 signed, they should be replaced with an SHA256 certificate and installed on the ADC.
DNS CAA
DNS Certification Authority Authorization (CAA) allows CAs to validate if they are authorized to issue certificates for a domain and provide a contact if something goes wrong.
DNS CAA is not required for an A+ at SSL Labs and is an optional step.You can find out more about DNS CAA here.
Legacy client support
The ECDHE ciphers we use in this guide replace the older slower DHE ciphers. If you have legacy clients that you cannot upgrade, you may have no choice but to enable DHE.
You can enable DHE cipher suites with the following steps:
- Create and bind a DH key to the SSL Profile
create ssl dhparam DH_Key_Name_Here.key 2048 -gen 2 set ssl profile SSL_Labs_Profile_Q4_2021 -dh ENABLED -dhFile DH_Key_Name_Here.key - Bind a DHE cipher suite to the cipher group that we created earlier
bind ssl cipher SSL_Labs_Cipher_Group_Q4_2021 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 Firmware Notes
Citrix enabled TLS1.2 as a default in firmware version10.5 build 57
The ROBOT vulnerability was addressed in builds12.0 build 53, 11.1 build 56, 11.0 build 71 and 10.5 build 67-more details are available here
The HSTS (Strict Transport Security) flag became available in12.0 build 35- prior builds required a rewrite policy to insert the HSTS header. Youcannotuse both as the ADC to insert 2 headers which is not allowed.
Support for TLS1.2 was added to the VPX appliances in10.5 build 57. It was available in earlier builds for appliances with dedicated SSL hardware
Support for TLS1.3 was added in12.1 build 49.23- it must be enabled in the vServer\SSLProfile, and TLS1.3 ciphers (listed) must be bound
ECC certificate support was added to the VPX appliances in12.0 build 57. It was available in earlier builds for appliances with dedicated SSL hardware
The Zombie POODLE vulnerability was addressed in builds12.1 build 50.31, 12.0 build 60.9, 11.1 build 60.14, 11.0 build 72.17, and 10.5 build 69.5. This vulnerability only affects MPX\SDX appliances with Nitrox SSL hardware. MPX\SDX appliances with Coleto Creek are not vulnerable. Disabling CBC-based cipher suites also mitigates this vulnerability.有关更多信息,请参见CTX文章
The cipher list has been modified to address CBC weaknesses, thus removing 0xc028 and 0x39 ciphers
Citrix added TLS1.3 hardware acceleration in13.0 build 71