Jump to content


Photo

Not able to bind cipher group

Started by Jetze Mellema , 17 March 2017 - 11:09 AM
2 replies to this topic

Jetze Mellema Members

Jetze Mellema
  • 8 posts

Posted 17 March 2017 - 11:09 AM

NetScaler 11.0 63.16.nc

 

I'm trying to bind a cipher groups to CS an LB virtual servers. This works for most of the LB VS but the change is not applied for one CS and one LB VS. When I bind the cipher group in the web interface I return to the settings and see this instead of the cipher group:

Capture.JPG

 

Creating the cipher group:

add ssl cipher CIPHER_Exchange2013_NS11

bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher CIPHER_Exchange2013_NS11 -cipherName TLS1.2-DHE-RSA-AES-256-SHA256

 

Successfully bound the cipher group to some LB VS but one shows the default/all ciphers:

bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-aut -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-map -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-owa -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-ecp -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-ews -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-oab -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-AES-256-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-AES-128-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-AES-256-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-AES-128-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName SSL3-EDH-RSA-DES-CBC3-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-ECDHE-RSA-RC4-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName TLS1-DHE-DSS-RC4-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName SSL3-DES-CBC3-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName SSL3-RC4-SHA
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName SSL3-RC4-MD5
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-eas -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-pow -cipherName CIPHER_Exchange2013_NS11
bind ssl vserver LB_IMAPS_mail.domain.com_Exchange2013 -cipherName CIPHER_Exchange2013_NS11

 



Ketil Gjerde Members

Ketil Gjerde
  • 32 posts

Posted 17 March 2017 - 11:32 AM

unbind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName ALL
bind ssl vserver LB_HTTPS_mail.domain.com_exch2013-rpc -cipherName CIPHER_Exchange2013_NS11



Ross Bender Members

Ross Bender
  • 142 posts

Posted 17 March 2017 - 01:32 PM

I've found the same bug. The option for selecting a cipher group is a dropdown, but if you select a different cipher group in the dropdown, it adds that group to any existing groups/ciphers. I usually then just go back and remove the undesired ones.