Netscaler - Enabling TLS 1.1 and 1.2

[jack johnson]

I attempted to enable TLS 1.1 and 1.2 via the web interface for my Netscaler and it gave me the 'Operation Not Permitted' error. Support said that our appliance (we have a very small one) does not support TLS 1.1 and 1.2 enabling through the web interface but does support it through the CLI.

On the CLI i used the correct command and it still says 'Operation Not Permitted'. Are TLS 1.1 and 1.2 not supported at all on some of the lesser appliances?

We are on version 10.1NS

Any ideas?

Thanks for any help!

[Christoph Wegener]

Yes. That is correct. You need a Netscaler Gateway hardware appliance (MPX) to be able to use TLS1.1/1.2

 

UPDATED: TLS1.1 & TLS 1.2 protocol support has been added to Netscaler VPX with firmware 10.5 build 57.7

Edited May 29, 2015 by Christoph Wegener

[jack johnson]

Thanks.

[Paul Blitz]

Wow, that's info is hidden away, isn't it!!

http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html

* NetScaler MPX appliances support TLS protocol versions 1.1 and 1.2.

* Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or on a NetScaler VPX virtual appliance.

* Support for TLS protocol versions 1.1 and 1.2 is available on an SDX appliance, but only on an instance-by-instance basis. To support TLS protocol versions 1.1 and 1.2 on an SDX appliance, you must assign at least one SSL chip to the instance when you provision it.

In other words, it's only available if you have SSL hardware, they haven't written the software version for it (yet?)

[Dan Dill1709152948]

This is going to be quite rough if there is a vulnerability discovered in TLS 1.0 for those on VPX devices.  Lets hope that doesn't happen or Citrix eventually releases an update that allows us to do TLS 1.1,1.2 on VPX!

[Christoph Wegener]

I believe that the TLS 1.1 & TLS 1.2 software implementation was originally planned to be included in the 10.5 release. But now we need to wait for the next major release, I suppose.

[Dan Coats]

Still get operation not permitted on MPX with 10.5(53.9)

[Peter Carter1709152533]

MPX 8005 here, 10.5-54.9, I can enable tls 1.0, 1.1, and 1.2 on the front end virtual server, but not on the individual services. Clients can still handshake to the virtual server with tls 1.2, but no clue what's going on from Netscaler service -> internal servers. Almost seems like it was their intention for whatever reason.

[Ian Caruana]

MPX 8005 here, 10.5-54.9, I can enable tls 1.0, 1.1, and 1.2 on the front end virtual server, but not on the individual services. Clients can still handshake to the virtual server with tls 1.2, but no clue what's going on from Netscaler service -> internal servers. Almost seems like it was their intention for whatever reason.

Hi Peter,

 

Did you get to the bottom of your particular issue?  I have re-keyed my certs with SHA2 and moved everything to tls 1.1 and 1.2, which is set correctly on the vserver, but on the services, I am unable to enable tls 1.1 or 1.2 with the error 'operation not permitted'.

 

Thank you

[Garrett Kelly]

Hey Ian Caruana, I opened a ticket with Citrix support today, and they told me that the VPX will support TLS 1.1 and 1.2 in the next version release (11.x) for Q2 2015. Not sure if this would be applicable to you considering you are running the MPX, but

maybe the issue you are experiencing will be resolved in the next upgrade? Apparently this came right from one of the developers...

[Garrett Kelly]

Wow, that's info is hidden away, isn't it!!

 

http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html

 

* NetScaler MPX appliances support TLS protocol versions 1.1 and 1.2.

 

* Support for TLS protocol versions 1.1 and 1.2 is not available on a FIPS appliance or on a NetScaler VPX virtual appliance.

 

* Support for TLS protocol versions 1.1 and 1.2 is available on an SDX appliance, but only on an instance-by-instance basis. To support TLS protocol versions 1.1 and 1.2 on an SDX appliance, you must assign at least one SSL chip to the instance when you provision it.

 

In other words, it's only available if you have SSL hardware, they haven't written the software version for it (yet?)

 

 

This is going to be quite rough if there is a vulnerability discovered in TLS 1.0 for those on VPX devices.  Lets hope that doesn't happen or Citrix eventually releases an update that allows us to do TLS 1.1,1.2 on VPX!

 

 

I believe that the TLS 1.1 & TLS 1.2 software implementation was originally planned to be included in the 10.5 release. But now we need to wait for the next major release, I suppose.

 

I opened a ticket with Citrix support today, and they told me that the VPX will support TLS 1.1 and 1.2 in the next version release (11.x) for Q2 2015.  Apparently this came right from one of the developers...

[Drasko Koncar]

Put it in the wrong thread sorry :(

 

http://discussions.citrix.com/topic/348001-tls11-12-not-permitted-on-vserver/?do=findComment&comment=1875289

[Paul Blitz]

Good news: upgrade to 10.5-57.7, and TLS 1.1 and TLS1.2 are available!

 

If you then disable SSL V3, and remove any ciphers that use RC4, then you should be able to get an A- from SSL labs!!

 

Update: play with a few more bits, and you can get an A+ on a VPX!

[Alan Lantz]

I tried that Paul, and yes you can get an A from SSL labs, but I had way to many clients that couldn't connect. Probably running XP or IE 7 or a weird combination. I had to re-add those RC4 ciphers. It will all work out someday for us, just not yet I'm afraid.

 

--Alan--

[Paul Blitz]

Security or convenience: choose one!

[Evan Mann1709152793]

I've upgraded my VPX to 10.5-57.7 and have been able to enable TLS 1.1 and 1.2 on a Virtual Server but I CANNOT enable TLS 1.1 or 1.2 on a SERVICE.  The boxes are grayed out in the GUI and when you try to do it through CLI it says "operation not permitted"

Is anyone else seeing this behavior?

[Dan Dill1709152948]

Evan,

 

Yes it's only supported on the front-end, not the back-end (service) so this is normal behavior is my understanding.

 

Even the release that just came out yesterday (11) has this same limitation.

 

Hopefully they will add that back-end support in the future.

[Henry Heres1709154828]

Evan,

 

Yes it's only supported on the front-end, not the back-end (service) so this is normal behavior is my understanding.

 

Even the release that just came out yesterday (11) has this same limitation.

 

Hopefully they will add that back-end support in the future.

Played around with the SSL settings and got the same, this article explains:

http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/supported-ciphers-list-release-11.html

[Harendra Fernando]

Need to have TLS1.1 & TLS 1.2 protocol support on VPX. Planning to upgrade to  10.5 Build 61.11. Should the SVM also run same or similar version for this upgrade to work? Any known bugs in this version.

[Roberto Santos1709159435]

is it possible to use TLS 1.2 with Citrix Access Gateway version 5.0.4?

I have the same doubt, someone would know if I can disable sslv3 and enable tls1.2,  Citrix Access Gateway version 5.0.4?