Netscaler 12 - Strict Transport DH public server param (Ys) reuse

[Josh Yost]

Hello All,

 

I am having some trouble figuring out how to get strict transport applied to a test netscaler 12 device that im using to prove changes to apply to a customer. 

 

I am following many of the guides on A+ SSL Labs rating and I'm stuck on one part: Enabling strict transport. I know im properly applying these settings in a response rewrite policy according to this documentation: https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/

 

It is not, however, working properly and as a result I'm getting the DH public server param (Ys) reuse mark on the ssl labs report. 

 

One idea for a potential problem is that I'm using DUO for dual factor auth and I had a rewrite to avoid the 2nd password prompt. I turned this off and re-tested but without success. I'm kind of stuck here guys and I welcome ideas. 

 

Thanks

Josh

[Joe Brozzetti1709154126]

If you check the RW policy hits do you see hits for the STS?

 

I am not sure that this is related to STS.  Are you using any DH ciphers?  

 

I am not using DH ciphers and when I remove the STS RW policy SSL Labs says:

 

Strict Transport Security (HSTS) No

 

 

DH public server param (Ys) reuse No, DHE suites not supported

[Paul Blitz]

Joe: pre ver 12, you would use a rewrite to handle the insertion of the STS header, but with ver 12, it is supposed to be in the SSL profile.

 

(not been able to check this yey: having issues deploying a Netscaler 12 on my XenServer!!)

[Paul Blitz]

Ok, now that my Netscaler 12 is finally up and running....

 

The best way to lock down SSL vservers is to use a profile, and then apply that profile to your SSL vserver.

 

In ver 11, the only bit that could NOT be done within the profile was the STS - it needed a rewrite policy. With version 12, there is a tick box called "HSTS" in the profile (just below the "Session Ticket Life" box, near the bottom) that you need to tick.

 

In the CLI, it's "set ssl profile New_SSL_Profile -HSTS ENABLED"

 

(If you'd like a rundown of all the steps needed to get an A+, take a look at https://www.dropbox.com/s/krjowc80tobz88d/Getting%20A%2B%20at%20SSLLabs%20-%20May%202017.docx?dl=0, which I wrote)

 

 

By the way, if you have a Start.com certificate, it's possible that your rating might drop :

https://blog.qualys.com/ssllabs/2017/04/05/ssl-labs-distrusts-wosign-and-startcom-certificates

 

... and Symantec (were VeriSign) might also be in trouble :

http://www.pcworld.com/article/3184660/security/to-punish-symantec-google-may-distrust-a-third-of-the-webs-ssl-certificates.html

[Josh Yost]

Thank you guys for the responses on the problem. You are the evidence that the Citrix community is definitely an asset. 

 

I'm still getting the original problem and i do see HSTS enabled. Paul's answer helped but i dont think 100% solved the problem. I'm not seeing what I'm missing here. Could it be that my cert isnt publicly validated? I get a "T (A if trust issues ignored)" so I guess i dont know if the below problem is also related to the trust chain issues caused by the fact that I dont yet have my public cert. 

 

This is set:

Strict Transport Security (HSTS) Yes 
max-age=157680000

 

But I still see the error:

DH public server param (Ys) reuse Yes

 

Edit:

I modified my configuration to follow your guide exactly and I am presented with the same issue. If this is working for you, I'm thinking that it may be related to my public key status. I wish I knew more about the specific subject. 

[Joe Brozzetti1709154126]

Can you post the SSL Labs report so we can take a look and compare?

[Josh Yost]

https://drive.google.com/file/d/1sK8YddQOdlnGmzj4dDwW1efFXQ-QXkvH9Y8qswiUbHCO43hfIjfW89MdJflXR2bxy-WVPINto5KAYcRe/view?usp=sharing

 

I put a PDF print here. 

[Joe Brozzetti1709154126]

See my next post about the DH key

[Joe Brozzetti1709154126]

Josh,

 

I was able to recreate the same warning as you.  Are you using a DH key?  Do you have a value greater then 0 for the reuse?

 

When I set the DH Key reuse to 1000 I get the warning, when I set to 0 I don't.  So I retract my previous statement about the ciphers.  Can you check your DH key settings if applicable?

 

 

[Josh Yost]

Thanks for the reply sir. 

 

That is set correctly on my profile (I checked in the gui). I did find that i had "Default" bound to the ssl profile at priority 11. I dont think I added that manually so it must be there from creating the profile. I removed that and re-tested. I also noticed that I left ".key" off my DH key. I renamed and pointed the profile to it. I rechecked and im in the same situation. I'm considering building from scratch at this point. It's technically good practice for me anyhow. 

 

Here are my relevant config lines:

set ssl profile ns_default_ssl_profile_backend -sessionTicketLifeTime 0

 

add ssl profile FM_SSL_Profile -dh ENABLED -dhFile "/nsconfig/ssl/DH_FOXYM2048.key" -sessReuse ENABLED -sessTimeout 120 -denySSLReneg NONSECURE -HSTS ENABLED -maxage 157680000

 

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 3

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4

bind ssl profile FM_SSL_Profile -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 5

bind ssl profile FM_SSL_Profile -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 6

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 7

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 8

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-DHE-RSA-AES-128-SHA256 -cipherPriority 9

bind ssl profile FM_SSL_Profile -cipherName TLS1.2-DHE-RSA-AES-256-SHA256 -cipherPriority 10

 

 

[Joe Brozzetti1709154126]

The add ssl profile line looks good.

 

Do you have ECC curves enabled?

 

bind ssl profile ns_default_ssl_profile_frontend -eccCurveName P_256

bind ssl profile ns_default_ssl_profile_frontend -eccCurveName P_384

bind ssl profile ns_default_ssl_profile_frontend -eccCurveName P_224

bind ssl profile ns_default_ssl_profile_frontend -eccCurveName P_521

 

I am running NS 11.1 so my STS is a RW but my config lines look like:

 

add ssl profile stage_frontend_ssl_profile -dh ENABLED -dhFile "/nsconfig/ssl/dhkey2048.key" -sessReuse ENABLED -sessTimeout 120

 

bind ssl cipher MPX -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher MPX -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher MPX -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher MPX -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher MPX -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher MPX -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher MPX -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher MPX -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher MPX -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher MPX -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher MPX -cipherName TLS1-AES-256-CBC-SHA

bind ssl cipher MPX -cipherName TLS1-AES-128-CBC-SHA

 

bind ssl profile stage_ssl_profile_frontend -eccCurveName P_256

bind ssl profile stage_ssl_profile_frontend -eccCurveName P_384

bind ssl profile stage_ssl_profile_frontend -eccCurveName P_224

bind ssl profile stage_ssl_profile_frontend -eccCurveName P_521

 

[Joe Brozzetti1709154126]

And the config line for the vServer I am applying this profile too:

 

set ssl vserver StageRemoteAccess_VS -sslProfile stage_frontend_ssl_profile

[Josh Yost]

Joe and Paul,

 

You guys are fantastic! The problem was a combination of Paul's answer and the fact that my cert was not publicly trusted. I installed a soon to be not trusted free cert to test while i wait for the $ to buy one (lets encrypt is a pain). Thank you guys so much for the help!

 

I also confirmed the settings you sent Joe and I did have the ecc curves but i didnt put them in there so i assume they are default now.

 

I really appreciate you guys taking time out to help.

 

Thanks,

Josh

[Paul Blitz]

I had a StartSSL cert, but have just replaced it with a "GGSSL Domain SSL Certificate" from http://GoGetSSL.com, it cost about $5! It's a fully trusted one that SSLLabs is happy with!! (You just need to prove domain ownership by responding to an email to one of the standard admin emails in that domain.

[CarlStalhood]

Or you can do Let's Encrypt for free. https://blog.j81.nl/2017/04/06/lets-encrypt-certificates-on-a-netscaler/

[Josh Yost]

Thanks Paul and Carl, 

 

gogetssl looks like a good option. I did do a lets encrypt by setting a responder on my Http redirect at a higher priority. Its annoying to the point where the $5 would have been worth it. 

[Paul Blitz]

Yes, I saw that, about Lets Encrypt, but they only do a 90-day cert.... which is fine for a PoC or simple test, but I wanted a longer one.

 

I could have saved about $1 by getting a 3 year cert, but being the stingy and untrusting person that I am, went for a 1 year one first! In a years time, now I know it works ok, I'll probably go for the 3 year one!

[Julian Jakob]

I know it's an old one here, but not too old to talk about.

 

I'm using the same cipher group on a MPX and VPX - also same Build Versions.

 

MPX = DH public server param (Ys) reuse NO via ssllabs

VPX =  DH public server param (Ys) reuse YES via ssllabs

 

I'm using 2048 bit DHE Key on both instances. I think there are differences because of the hardware ssl chips in MPX which is missing in VPX?

[Paul Blitz]

On 9/3/2020 at 11:19 AM, Julian Jakob said:

I know it's an old one here, but not too old to talk about.

 

I'm using the same cipher group on a MPX and VPX - also same Build Versions.

 

MPX = DH public server param (Ys) reuse NO via ssllabs

VPX =  DH public server param (Ys) reuse YES via ssllabs

 

I'm using 2048 bit DHE Key on both instances. I think there are differences because of the hardware ssl chips in MPX which is missing in VPX?

 

I just did a bit of testing on my 13.0 VPX, and it's the same as you report... the "DH public server param (Ys) reuse" still gets a "YES" via ssllabs, so no change.