Keeping your NetScaler A+ Rating on SSL Labs
By: Leee Jeffries |
If you think you have a NetScaler A+ rating on SSL labs, re-try your test and you might not anymore.
The new AEAD Ciphers have been added to NetScaler as of build 12.0.56.20.
To maintain an A+ Rating you need to modify your cipher suite to include these ciphers.
Here is a code snippet for you, change the cipher group name to match your own or create a new one.
[cc]add ssl cipher VPX_APLUS_CIPHER_23.03.16 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-DHE-RSA-CHACHA20-POLY1305 -cipherPriority 1 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 2 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 4 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 5 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 6 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 7 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 8 bind ssl cipher VPX_APLUS_CIPHER_23.03.16 -cipherName SSL3-DES-CBC3-SHA -cipherPriority 9 [/cc]
If you don’t understand this, look at this blog article from George Spiers on generating a Qualsys SSL Labs A+ rating on your NetScaler and just replace the ciphers with the above.
About Me
I'm an IT professional with over 15 years of experience in the IT industry, I've worked in many fields in my career. This blog is to share my experience, tips and tricks.