Netscaler SSL Protocol's Used (SSLv3, TLS1.0, etc)

[Tom Swift]

We're trying to evaluate potential enduser workstation impact if we tighten up our Netscaler VSERVER's protocol's used and eliminate say SSLv3 and/or TLS1.0.

 

We have a bunch of Load Balanced (LB) & Content Switching (CS) VSERVERS and by default they use:

SSLv3, TLS1.0, TLS1.1 and TLS1.2

 

On a few we have turned off SSLv3 and management is a bit concerned about turning off TLS1,0 without first knowing how many end user machines would be potentially impacted.  This is a pretty large environment with sever hundred thousand users.

 

Let's say we have the following:

add cs vserver securecorpwebsite SSL 8.9.10.11 -clttimeout 180

add lb vserver maincorpwebsite SSL 216.215.214.213 443 -persistenceType NONE -cltTimeout 9000

 

add ssl profile "NOSSLV3" -sessReuse ENABLED -sessTimeout 120 -ssl3 DISABLED -denySSLReneg FRONTEND_CLIENTSERVER
add ssl profile "SECUREPROTOCOLS" -sessReuse ENABLED -sessTimeout 120 -ssl3 DISABLED -tls1 DISABLED -tls11 ENABLED -tls12 ENABLED -denySSLReneg FRONTEND_CLIENTSERVER
 

set ssl vserver securecorpwebsite -sslProfile "NOSSLV3"

#REM - securecorpwebsite would use TLS1.0, TLS1.1 and TLS1.2

set ssl vserver maincorpwebsite -sslProfile "SECUREPROTOCOLS"

#REM - maincorpwebsite would use TLS1.1 and TLS1.2

#REM - Using SECUREPROTOCOLS is out longterm objective, but we first want to see how many sessions are coming in using SSLv3 and TLS1.0 before tightening things up

 

Is there a way to get a report or generate statistics based on VSERVER and detail SSLv3 and TLS1.0 usage?

 

[CarlStalhood]

If you deploy NetScaler MAS, there's an SSL Insight (part of Web Insight) feature.

 

Otherwise, you can do Responder with user-defined logging of SSL settings.

[Tom Swift]

Not Netscaler MAS.

 

Any chance you’ve got a responder handy to do the logging of SSL settings?

[Raman Kaushik]

33 minutes ago, Tom Swift said:

Not Netscaler MAS.

 

Any chance you’ve got a responder handy to do the logging of SSL settings?

 

CLIENT.SSL.VERSION.EQ(0x301) VERSION

 

Various hex codes for different SSL/TLS versions is as below:

0x300 is SSL 3.0
0x301 is TLS 1.0,
0x302 is TLS 1.1,
0x303 is TLS 1.2,

 

I know that you want on a vs level, however do give this command a try.

 

>stat ssl detail

[Jens Dellner]

Hi Txtom,
i challenged this in a few steps. The first step was to find out which static clients (like webservices, servers, special devices) from our company and customers access our hosted services on netscaler.

 

I used something like Raman mentioned, because our MAS is not yet productive. It can be a lot of work to read the syslog files and find the static clients. Maybe you can write a script that makes it easier to you. But must of the browsers are already up to date enough and connect with TLSv1.2 (and will not be displayed in the syslog).

 

Log TLS Version:
1. Enable User Configurable Log Messages to Local SysLog:
set audit syslogParams -userDefinedAuditlog YES

 

2. Create Logaction:
add audit messageaction AMA_Log_TLSVersion WARNING "\"Client: \"+CLIENT.IP.SRC+\" uses \"+CLIENT.SSL.VERSION+\" with \"+CLIENT.SSL.CIPHER_NAME+\" and accesses \"+HTTP.REQ.HOSTNAME" -logtoNewnslog YES

 

3. Create Responder Policy for Auditing:
add responder policy pol_rsp_AMA_Log_TLSVersion "CLIENT.SSL.VERSION.EQ(0x303).NOT" NOOP -logAction AMA_Log_TLSVersion

 

4. Bind Responder Policy to vServer:
bind lb vserver <VserverName> -policyName pol_rsp_AMA_Log_TLSVersion -priority 10 -gotoPriorityExpression NEXT -type REQUEST

 

Result in Syslog:
default RESPONDER Message 577028 0 :  "Client: 1.2.3.2 uses 771 with Cipher TLS1-ECDHE-RSA-AES256-SHA and accesses <Website>"
default RESPONDER Message 576926 0 :  "Client: 1.2.3.4 uses 769 with Cipher TLS1-ECDHE-RSA-AES256-SHA and accesses <Website>"

 

This part logs every client which does not use TLSv1.2. Since the tls version is not good to read, i translatet it to another format:

 

5. Create String Map for SSL Versions:
add policy stringmap SM_TLSVersions
bind policy stringmap SM_TLSVersions 772 TLSv1.3
bind policy stringmap SM_TLSVersions 771 TLSv1.2
bind policy stringmap SM_TLSVersions 770 TLSv1.1
bind policy stringmap SM_TLSVersions 769 TLSv1.0
bind policy stringmap SM_TLSVersions 768 SSLv3

 

6. Delete your previous created Logaction and recreate one that uses the new created stringmap:

add audit messageaction AMA_Log_TLSVersion WARNING "\"Client: \"+CLIENT.IP.SRC+\" uses \"+CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING(\"SM_TLSVersions\")+\" with \"+CLIENT.SSL.CIPHER_NAME+\" and accesses \"+HTTP.REQ.HOSTNAME" -logtoNewnslog YES

 

Result in Syslog:
default RESPONDER Message 577028 0 :  "Client: 1.2.3.2 uses TLSv1.2 with Cipher TLS1-ECDHE-RSA-AES256-SHA and accesses <Website>."
default RESPONDER Message 576926 0 :  "Client: 1.2.3.4 uses TLSv1.0 with Cipher TLS1-ECDHE-RSA-AES256-SHA and accesses <Website>."

The second step was to inform every application owner and customer to update their clients (like webservices, servers, special devices). Give them a sufficient time frame to update their clients. We decided to give them a little bit over 3 month since, because there were not many of these clients.

 

The third step was to inform customers (like endusers) which access webservices via Browser. To do this i created another responder policy which shows a very easy html page to the user if his browser does not use TLSv1.2 when accessing our services. After the html page is shown to the user he can continue to the original requested webservice. The html page creates a Cookie "WrongTLSAccepted" with the value of "true". Everytime the user accesses the webservicethe responder policy checks if the html page was previosly shown to the user (Cookie) and does not show it again for this session. I built a pattern set for all webservices which did not work correctly with the shown html page to exclude the page for this webservices. This users are not informed about the End of life of TLS less than TLSv1.2. This users have to be informed per mail or whatever.

 

1. Create Patternset for excluded webservices:
add policy patset pattset_TLS_NoPage
bind policy patset pattset_TLS_NoPage <webservice1> -index 1
bind policy patset pattset_TLS_NoPage <webservice2> -index 2

 

2. Create Responder Action:
add responder action act_rsp_TLS respondwith q|"HTTP/1.0 200 OK"+"\r\n\r\n"+"<!doctype html>"+"<html lang=\"de\">"+"<head>"+"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>"+"<meta http-equiv=\"Set-Cookie\" content=\"WrongTLSAccepted=true; Secure;\"/>"+"<title>Browsercheck</title>"+"<style>"+"div.container {top: 0; left: 0; width: 100%; height: 100%; position: fixed; display: table; font-family: Helvetica, sans-serif; hyphens: auto }"+" p { display: table-cell; vertical-align: middle; text-align: center }"+" t1 { font-size: 36px; font-weight: 700; color: #333333 } t2 { font-size: 18px; color: #333333 } t3 { font-size: 18px; color: #333333; hyphens: none }"+".button { font: bold 11px; text-decoration: none; background-color: #EEEEEE; color: #333333; padding: 2px 6px 2px 6px; border-top: 1px solid #CCCCCC; border-right: 1px solid #333333; border-bottom: 1px solid #333333; border-left: 1px solid #CCCCCC;}"+"</style>"+"</head>"+"<div class=\"container\">"+"<p><t1>Old Browser!<br><br></t1>"+"<t2>This message will be displayed because your browser does not support any of the encryption options we use."+"<br>"+"Please update your Browser and try to access the website again.</t2>"+"<br><br>"+"<t3>Your Companyname<br>Your Company Address<br>Your Company City<br><br>Telephone: Your Company Telephone number</t3>"+"<br><br><a href=\"https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH_AND_QUERY+"\" class=\"button\">Go to Website</a></p></div>"+"\r\n"|

 

3. Create Responder Policy
add responder policy pol_rsp_TLS "CLIENT.SSL.VERSION.EQ(0x303).NOT && HTTP.REQ.COOKIE.CONTAINS(\"WrongTLSAccepted=true\").NOT && HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_TLS_NoPage\").NOT" act_rsp_TLS

 

4. Bind Responder Policy to vServer:
bind lb vserver <VserverName> -policyName pol_rsp_TLS -priority 15 -gotoPriorityExpression END -type REQUEST

 

The fourth step was to disable TLSv1.0 (SSL3.0 was disabled a long time ago) after the application owner and customers were informed 3 month before. TLSv1.0 is a security breach and this always helps to update things faster.

 

The fifth step will be three month later again when TLSv1.1 will be disabled. This will be on 01.10.2018.

Hint: Do not forget to enable TLSv1.2 on your workstations (Win7,...) or servers (like sharepoint) which do also connect to webservices for different purposes.

 

This is/was the way i challenged it and maybe it helps you on your way.

 

Best regards,
Jens

[Tom Swift]

Running in to an error 

2. Create Logaction:

 

> add audit messageaction AMA_Log_TLSVersion WARNING "\"Client: \"+CLIENT.IP.SRC+\" uses \"+CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING(\"SM_TLSVersions\")+\" with \"+CLIENT.SSL.CIPHER_NAME+\" and accesses \"+HTTP.REQ.HOSTNAME" -logtoNewnslog YES

ERROR: String map does not exist

[Jens Dellner]

Hi Txtom,

it was a mistake from me. I edited my previous post.

 

The Logaction in Number 2) was wrong. It used the Stringmap which you will create in Number 5). I inserted the right one to get the shown Result in Syslog.

I added the Logaction in Number 6) which uses the Stringmap created in Number 5) to get the shown Result in Syslog.

 

Best regards,

Jens

[Tom Swift]

I appreciate the quick response.  In the meantime, I'd actually already figured out that Step 5 should go before Step 2.  I had to add one more command to get it to work.

 

1. Enable User Configurable Log Messages to Local SysLog:

set audit syslogParams -userDefinedAuditlog YES

 

2. Create String Map for SSL Versions:

add policy stringmap SM_TLSVersions
bind policy stringmap SM_TLSVersions 772 TLSv1.3
bind policy stringmap SM_TLSVersions 771 TLSv1.2
bind policy stringmap SM_TLSVersions 770 TLSv1.1
bind policy stringmap SM_TLSVersions 769 TLSv1.0
bind policy stringmap SM_TLSVersions 768 SSLv3

 

3. Create Logaction:

add audit messageaction AMA_Log_TLSVersion WARNING "\"Client: \"+CLIENT.IP.SRC+\" uses \"+CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING(\"SM_TLSVersions\")+\" with \"+CLIENT.SSL.CIPHER_NAME+\" and accesses \"+HTTP.REQ.HOSTNAME" -logtoNewnslog YES -bypassSafetyCheck YES

#REM - NOTE Needed to add -bypassSafetyCheck YES because otherwise it was rejected

 

4. Create Responder Policy for Auditing:

enable feature responder

add responder policy pol_rsp_AMA_Log_TLSVersion "CLIENT.SSL.VERSION.EQ(0x303).NOT" NOOP -logAction AMA_Log_TLSVersion

 

5. Bind Responder Policy to vServer:

enable feature lb

bind lb vserver _XD_192.168.1.10_443 -policyName pol_rsp_AMA_Log_TLSVersion -priority 10 -gotoPriorityExpression NEXT -type REQUEST
 

[Derek Black]

Awesome post Jens!

 

We wanted an informational page to inform users of the change and Jen's solution worked flawlessly!

 

Create Responder Action:
add responder action act_rsp_TLS respondwith q|"HTTP/1.0 200 OK"+"\r\n\r\n"+"<!doctype html>"+"<html lang=\"de\">"+"<head>"+"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>"+"<meta http-equiv=\"Set-Cookie\" content=\"WrongTLSAccepted=true; Secure;\"/>"+"<title>Browsercheck</title>"+"<style>"+"div.container {top: 0; left: 0; width: 100%; height: 100%; position: fixed; display: table; font-family: Helvetica, sans-serif; hyphens: auto }"+" p { display: table-cell; vertical-align: middle; text-align: center }"+" t1 { font-size: 36px; font-weight: 700; color: #333333 } t2 { font-size: 18px; color: #333333 } t3 { font-size: 18px; color: #333333; hyphens: none }"+".button { font: bold 11px; text-decoration: none; background-color: #EEEEEE; color: #333333; padding: 2px 6px 2px 6px; border-top: 1px solid #CCCCCC; border-right: 1px solid #333333; border-bottom: 1px solid #333333; border-left: 1px solid #CCCCCC;}"+"</style>"+"</head>"+"<div class=\"container\">"+"<p><t1>Old Browser!<br><br></t1>"+"<t2>This message will be displayed because your browser does not support any of the encryption options we use."+"<br>"+"Please update your Browser and try to access the website again.</t2>"+"<br><br>"+"<t3>Your Companyname<br>Your Company Address<br>Your Company City<br><br>Telephone: Your Company Telephone number</t3>"+"<br><br><a href=\"https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH_AND_QUERY+"\" class=\"button\">Go to Website</a></p></div>"+"\r\n"|

 

Create Responder Policy:
add responder policy pol_rsp_TLS "CLIENT.SSL.VERSION.EQ(0x303).NOT && HTTP.REQ.COOKIE.CONTAINS(\"WrongTLSAccepted=true\").NOT && HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_TLS_NoPage\").NOT" act_rsp_TLS