Enabling TLS 1.3 on Citrix NetScaler

There has been a lot of work in the new version of TLS namely version 1.3, where the focus has been mostly on security and reducing the unnecessary handshakes between client and servers to optimize performance. Hence the reason why there is a flash picture here, overall TLS 1.3 handshakes can reduce the time it takes to establish a session from 300 to 200 MS. Now if you are not familiar with it, TLS 1.2 is already over 10 years old, and are suffering with issues that they couldn’t figure out at the time the protocol was standarized.

Timeline

The other tool thing it that is working with Citrix NetScaler and is supported with both the VPX and MPX appliances.

If you haven’t seen all the improvements on the protocol itself I suggest that you take a closer look at the blogpost from the people at Cloudflare on the subject, https://www.cloudflare.com/learning-resources/tls-1-3/

Source: Kinsta

tls-1.3-handshake-performance

Can my browser use TLS 1.3?

Most browsers can already today use TLS 1.3, (Except Internet Explorer and Edge) but you can see the overall progress of the different browsers here –> https://8gwifi.org/docs/tlsv13.jsp when it comes to support the different versions of the drafts and final RFC.

browser

You can also check if your current browser that is running has TLS 1.3 supported and enabled here –> https://www.cloudflare.com/ssl/encrypted-sni/ it is for the mostly enabled for most browsers. Chrome has been shipping a draft version of TLS 1.3 since Chrome 65. In Chrome 70, the final version of TLS 1.3 is enabled for outgoing connections. If you want to enable TLS 1.3 for older versions where it is not enabled you can configure it with the following Chrome settings

chrome://flags/#tls13-variant

Enabling TLS 1.3 on Citrix NetScaler

To enable this on Citrix NetScaler (Sorry Citrix ADC…) It is a matter of creating an SSL Profile to define which SSL/TLS Prototols that should be enabled for a service.

FYI It should be noted that there are some limitations that you should be aware of, which you should take into consideration before enabling on a LB vServer.

  • On the Citrix ADC MPX platform, TLSv1.3 processing is not offloaded to crypto hardware.
  • NS 12.1 49.23 or newer firmware in order to support the TLS 1.3 RFS 8446 (which is required for it to work in the Chrome browser 70.x)
  • It is also important to note that the ECDHE groups (curves) supported by NetScaler are:
    OpenSSL Name NetScaler Name
    prime256v1 P_256
    secp384r1 P_384
    secp521r1 P_521

    By default, all three of these curves are enabled in an SSL vserver. The P_224 curve is also enabled in an SSL vserver by default, but TLS 1.3 servers are forbidden from negotiating this curve, so it will never be used in a TLS 1.3 handshake regardless of its enabled/disabled state.

  • TLSv1.3 is not supported on the back end only for front-end vServers.
  • Entire Certificate Chain is required to be present for the connection to be established.

So when you are setting up a Load Balanced vServer you need to make the following changes.

1: Adjust the SSL Parameters or create an use SSL Profile where you enabled TLS 1.3 as a Protocol.

tls1.4

2: Define the TLSv1.3 Cipher Suits, which are built-in from build 48.

tls1.3

3: Adjust the and remove the ECC curve P_224 binding

tls1.32

And Voila!

How can I verify that I connect using TLS 1.3?

You can either use OpenSSL or using Developer Tools in for instance chrome which will show which ciphers and protocols that are being used in the session, or if you want you can use WireShark version 2.6+++ Which also can be used to filter TLS 1.3 traffic.*
tls1.34

 

 

 

 

Leave a Reply

Scroll to Top