jack johnson Posted August 30, 2013 Share Posted August 30, 2013 I attempted to enable TLS 1.1 and 1.2 via the web interface for my Netscaler and it gave me the 'Operation Not Permitted' error. Support said that our appliance (we have a very small one) does not support TLS 1.1 and 1.2 enabling through the web interface but does support it through the CLI. On the CLI i used the correct command and it still says 'Operation Not Permitted'. Are TLS 1.1 and 1.2 not supported at all on some of the lesser appliances? We are on version 10.1NS Any ideas? Thanks for any help! Link to comment Share on other sites More sharing options...
Christoph Wegener Posted September 2, 2013 Share Posted September 2, 2013 (edited) Yes. That is correct. You need a Netscaler Gateway hardware appliance (MPX) to be able to use TLS1.1/1.2 UPDATED: TLS1.1 & TLS 1.2 protocol support has been added to Netscaler VPX with firmware 10.5 build 57.7 Edited May 29, 2015 by Christoph Wegener 1 Link to comment Share on other sites More sharing options...
jack johnson Posted September 3, 2013 Author Share Posted September 3, 2013 Thanks. Link to comment Share on other sites More sharing options...
Paul Blitz Posted September 5, 2013 Share Posted September 5, 2013 Wow, that's info is hidden away, isn't it!!http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html * NetScaler MPX appliances support TLS protocol versions 1.1 and 1.2. * Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or on a NetScaler VPX virtual appliance. * Support for TLS protocol versions 1.1 and 1.2 is available on an SDX appliance, but only on an instance-by-instance basis. To support TLS protocol versions 1.1 and 1.2 on an SDX appliance, you must assign at least one SSL chip to the instance when you provision it. In other words, it's only available if you have SSL hardware, they haven't written the software version for it (yet?) Link to comment Share on other sites More sharing options...
Dan Dill1709152948 Posted November 21, 2014 Share Posted November 21, 2014 This is going to be quite rough if there is a vulnerability discovered in TLS 1.0 for those on VPX devices. Lets hope that doesn't happen or Citrix eventually releases an update that allows us to do TLS 1.1,1.2 on VPX! Link to comment Share on other sites More sharing options...
Christoph Wegener Posted November 22, 2014 Share Posted November 22, 2014 I believe that the TLS 1.1 & TLS 1.2 software implementation was originally planned to be included in the 10.5 release. But now we need to wait for the next major release, I suppose. Link to comment Share on other sites More sharing options...
Dan Coats Posted November 24, 2014 Share Posted November 24, 2014 Still get operation not permitted on MPX with 10.5(53.9) Link to comment Share on other sites More sharing options...
Peter Carter1709152533 Posted February 18, 2015 Share Posted February 18, 2015 MPX 8005 here, 10.5-54.9, I can enable tls 1.0, 1.1, and 1.2 on the front end virtual server, but not on the individual services. Clients can still handshake to the virtual server with tls 1.2, but no clue what's going on from Netscaler service -> internal servers. Almost seems like it was their intention for whatever reason. Link to comment Share on other sites More sharing options...
Ian Caruana Posted May 6, 2015 Share Posted May 6, 2015 MPX 8005 here, 10.5-54.9, I can enable tls 1.0, 1.1, and 1.2 on the front end virtual server, but not on the individual services. Clients can still handshake to the virtual server with tls 1.2, but no clue what's going on from Netscaler service -> internal servers. Almost seems like it was their intention for whatever reason. Hi Peter, Did you get to the bottom of your particular issue? I have re-keyed my certs with SHA2 and moved everything to tls 1.1 and 1.2, which is set correctly on the vserver, but on the services, I am unable to enable tls 1.1 or 1.2 with the error 'operation not permitted'. Thank you Link to comment Share on other sites More sharing options...
Garrett Kelly Posted May 7, 2015 Share Posted May 7, 2015 Hey Ian Caruana, I opened a ticket with Citrix support today, and they told me that the VPX will support TLS 1.1 and 1.2 in the next version release (11.x) for Q2 2015. Not sure if this would be applicable to you considering you are running the MPX, but maybe the issue you are experiencing will be resolved in the next upgrade? Apparently this came right from one of the developers... Link to comment Share on other sites More sharing options...
Garrett Kelly Posted May 7, 2015 Share Posted May 7, 2015 Wow, that's info is hidden away, isn't it!! http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html * NetScaler MPX appliances support TLS protocol versions 1.1 and 1.2. * Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or on a NetScaler VPX virtual appliance. * Support for TLS protocol versions 1.1 and 1.2 is available on an SDX appliance, but only on an instance-by-instance basis. To support TLS protocol versions 1.1 and 1.2 on an SDX appliance, you must assign at least one SSL chip to the instance when you provision it. In other words, it's only available if you have SSL hardware, they haven't written the software version for it (yet?) This is going to be quite rough if there is a vulnerability discovered in TLS 1.0 for those on VPX devices. Lets hope that doesn't happen or Citrix eventually releases an update that allows us to do TLS 1.1,1.2 on VPX! I believe that the TLS 1.1 & TLS 1.2 software implementation was originally planned to be included in the 10.5 release. But now we need to wait for the next major release, I suppose. I opened a ticket with Citrix support today, and they told me that the VPX will support TLS 1.1 and 1.2 in the next version release (11.x) for Q2 2015. Apparently this came right from one of the developers... 1 Link to comment Share on other sites More sharing options...
Drasko Koncar Posted May 21, 2015 Share Posted May 21, 2015 Put it in the wrong thread sorry :( http://discussions.citrix.com/topic/348001-tls11-12-not-permitted-on-vserver/?do=findComment&comment=1875289 Link to comment Share on other sites More sharing options...
Paul Blitz Posted May 28, 2015 Share Posted May 28, 2015 Good news: upgrade to 10.5-57.7, and TLS 1.1 and TLS1.2 are available! If you then disable SSL V3, and remove any ciphers that use RC4, then you should be able to get an A- from SSL labs!! Update: play with a few more bits, and you can get an A+ on a VPX! Link to comment Share on other sites More sharing options...
Alan Lantz Posted May 28, 2015 Share Posted May 28, 2015 I tried that Paul, and yes you can get an A from SSL labs, but I had way to many clients that couldn't connect. Probably running XP or IE 7 or a weird combination. I had to re-add those RC4 ciphers. It will all work out someday for us, just not yet I'm afraid. --Alan-- Link to comment Share on other sites More sharing options...
Paul Blitz Posted June 4, 2015 Share Posted June 4, 2015 Security or convenience: choose one! Link to comment Share on other sites More sharing options...
Evan Mann1709152793 Posted July 2, 2015 Share Posted July 2, 2015 I've upgraded my VPX to 10.5-57.7 and have been able to enable TLS 1.1 and 1.2 on a Virtual Server but I CANNOT enable TLS 1.1 or 1.2 on a SERVICE. The boxes are grayed out in the GUI and when you try to do it through CLI it says "operation not permitted" Is anyone else seeing this behavior? 1 Link to comment Share on other sites More sharing options...
Dan Dill1709152948 Posted July 2, 2015 Share Posted July 2, 2015 Evan, Yes it's only supported on the front-end, not the back-end (service) so this is normal behavior is my understanding. Even the release that just came out yesterday (11) has this same limitation. Hopefully they will add that back-end support in the future. Link to comment Share on other sites More sharing options...
Henry Heres1709154828 Posted August 8, 2015 Share Posted August 8, 2015 Evan, Yes it's only supported on the front-end, not the back-end (service) so this is normal behavior is my understanding. Even the release that just came out yesterday (11) has this same limitation. Hopefully they will add that back-end support in the future. Played around with the SSL settings and got the same, this article explains: http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/supported-ciphers-list-release-11.html Link to comment Share on other sites More sharing options...
Harendra Fernando Posted October 27, 2016 Share Posted October 27, 2016 Need to have TLS1.1 & TLS 1.2 protocol support on VPX. Planning to upgrade to 10.5 Build 61.11. Should the SVM also run same or similar version for this upgrade to work? Any known bugs in this version. Link to comment Share on other sites More sharing options...
Roberto Santos1709159435 Posted November 26, 2020 Share Posted November 26, 2020 is it possible to use TLS 1.2 with Citrix Access Gateway version 5.0.4? I have the same doubt, someone would know if I can disable sslv3 and enable tls1.2, Citrix Access Gateway version 5.0.4? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now