Note – This article has been superseded by a new improved version.

My last blog on scoring at A+ with Qualys’s excellent SSL Labs website was extremely popular, but as with all security topics, we were shooting at a moving target and it wasn’t long before NetScaler began to score an “A” (secure) rather than an “A+” (exceptional).

With this blog I’m going to detail again how an A+ can be achieved, and thanks to the 10.5.57 firmware update we can now achieve it on every platform – VPX, MPX, and SDX! Good news indeed!

Appliance

Score

MPX/SDX with NS10.5-57.7

A+

VPX (not on an SDX) with NS10.5-57.7

A+

MPX/SDX without NS10.5-57.7

A

VPX (not on an SDX) without NS10.5-57.7

C

My new “cheat sheet” for an A+

  1. Disable SSLv3

SSLv3 is considered insecure and you’ll now only score a “C” with this enabled.

  1. TLSv1.2 must be enabled for your vServer.

Without TLSv1.2 the highest score available is a “B”; note that as of 10.5.57 this works on every NetScaler including VPX without any hardware SSL chip assigned.

  1. RC4 ciphers must be disabled using a custom cipher list.

RC4 ciphers are generally considered insecure and again your score is limited to a “B” without disabling them.

  1.  Set your custom cipher list to preference Elliptic Curve Diffie–Hellman Exchange (ECDHE) to move from an “A-“ to an “A”.

Note that when you create a new cipher group via the GUI in 10.5 that ciphers are added in reverse priority order (they’ll be reordered when you create the group).

Moving from an A to an A+

NetScaler now supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks, a requirement for an A+ score.

  1.  Ensure both your server certificate and your intermediate certificates have a SHA2/SHA256 signature.
  1.  Implement Strict Transport Security by inserting a custom header using a rewrite policy bound to your vServer. See here for details.

 

Protected

That’s it.  Another 15 minute process to enhance security and get an A+. Do remember however that ssllabs.com is just an opinion and we’re not necessarily recommending this for your environment, as always testing is paramount.

How does my score compare to others?

This data is actually published here

Reading the summary for May 07, 2015 we can see that of 146,462 sites surveyed by ssllabs.com 25.3% scored an F and just 1.1% (1,625) managed an A+ — something you can now do in a matter of minutes.

What ciphers should I use?

This question will depend very much on your environment and I’d recommend discussing it with your security team however here is the cipher list submitted by Claus Jan Harms on my last article – I’ve had excellent success with it.

  • add ssl cipher claus-cipher-list-with-gcm
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-ECDHE-RSA-AES256-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-ECDHE-RSA-AES128-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-AES-256-CBC-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName TLS1-AES-128-CBC-SHA
  • bind ssl cipher claus-cipher-list-with-gcm -cipherName SSL3-DES-CBC3-SHA
Please note that SSL3-DES-CBC3-SHA is, despite the name, useful if SSL3 is disabled. This is the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher and needed for IE8 on Windows XP.

On a VPX some ciphers are not yet full supported in 10.5.57.7 and here is the cipher list that I would recommend

  • add ssl cipher vpx-cipher-list
  • bind ssl cipher vpx-cipher-list -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-ECDHE-RSA-AES256-SHA
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-ECDHE-RSA-AES128-SHA
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-AES-256-CBC-SHA
  • bind ssl cipher vpx-cipher-list -cipherName TLS1-AES-128-CBC-SHA
  • bind ssl cipher vpx-cipher-list -cipherName SSL3-DES-CBC3-SHA
After binding the cipher group to your vServer it’s important to also ensure eccCurves are bound for ECDHE support.
  • bind ssl vs [vserver_name] -eccCurveName ALL

If we implement Strict Transport Security, how do we get onto “the browser-internal HSTS whitelists” or preload lists?

Strict Transport Security works by adding a header telling the client not to use http and to communicate over https only. This prevents man in the middle attacks that strip the SSL conversation but only once the client has seen the header – on the first visit to a site the attacker could remove the header with such an attack.

The solution is to submit your site for inclusion in hardcoded preload lists of sites known to be https only. You can submit to Chrome’s preload list here.

This is now becoming more useful as time as passes because Microsoft have recently announced HSTS support and inclusion in the Chrome preload list will feed into IE, Firefox and Safari.