Netscaler Knowledgebase

We run NetScaler NS8.1: Build 60.3, periodically we run www.securitymetrics.com  on our sites and we have gotten flagged with

Synopsis : The remote service supports the use of weak SSL ciphers.
Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

See also : http://www.openssl.org/docs/apps/ciphers .html

Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium  / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers
(< 56-bit key) SSLv3 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA
Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA
Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption
method} Mac={message authentication code} {export flag}



Is there any way to shut those specific ciphers off?

I am using a third part tester

http://www.unspecific.com/2009/02/16/ssl-cipher-check

It reports that it has been able to handshake with

SSLv3:EXP-DES-CBC-SHA - SUCCESS *V *W

But this is not part of my configured group. I tried also creating a new cipher group and adding only specific ciphers, but this one and others although not specifically defined come up as valid.

Thanks In adavance

Alex,

I've been using SSL Digger and I noticed a similar problem, I would disable the ciphers but for some reason they would still work. I had to create a new group about 3 times and it finally worked. Here is the link I have to my "strong" ciphers. By the way this was strong enough to be PCI compliant if that's what you are shooting for.

add ssl cipher SSL-PCI "TLS1-DHE-DSS-AES-128-CBC-SHA"
add ssl cipher SSL-PCI "TLS1-DHE-RSA-AES-128-CBC-SHA"
add ssl cipher SSL-PCI "SSL3-RC4-SHA"
add ssl cipher SSL-PCI "SSL3-RC4-MD5"
add ssl cipher SSL-PCI "SSL3-DES-CBC3-SHA"
add ssl cipher SSL-PCI "SSL2-RC2-CBC-MD5"
add ssl cipher SSL-PCI "SSL2-RC4-MD5"
add ssl cipher SSL-PCI "TLS1-AES-128-CBC-SHA"
add ssl cipher SSL-PCI "TLS1-AES-256-CBC-SHA"
add ssl cipher SSL-PCI "SSL2-DES-CBC3-MD5"
add ssl cipher SSL-PCI "SSL3-EDH-DSS-DES-CBC3-SHA"
add ssl cipher SSL-PCI "TLS1-DHE-DSS-AES-256-CBC-SHA"
add ssl cipher SSL-PCI "TLS1-DHE-RSA-AES-256-CBC-SHA"
add ssl cipher SSL-PCI "SSL3-EDH-RSA-DES-CBC3-SHA"

One other thing is you should disable the SSL V2 redirect as it will give a false positive too
http://forums.citrix.com/message.jspa?messageID=680124

We recently had some penetration testing done and found there were 2 reasons for the false positives,
SSLv2redirect and cipherRedirect both of which are enabled by default.  Setting both of them to disabled solved the issue and we still use the DEFAULT cert group.

The explanation given by Citrix was that the NetScaler would allow the non supported cipher request to be setup but that the NetScaler would return an error message about needing to upgrade and then Terminate the session.  Most of the tools used just test if the SSL handshake is successful which it is so the NetScaler can respond with the error message.

You can verify this by enabling only sslv2 on your browser and connecting to an SSL vserver that does not support v2 and has sslv2redirect enabled, you will get the error message and not the page you were after.