Citrix Netscaler weak ciphers

My PCI compliance test failed with weak and medium ciphers.
I suspect the problem is with the netscaler vpx we are using

NS9.2: Build,

Can someone walk me through to check i am using ssl v3 only and where i can disable weak ciphers and use only strong ones from the netscaler web interface?

I need a step by step as i am not familiar with configuring the netscaler

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

mrbrain646Connect With a Mentor Author Commented:
Security Metrics has excluded the weak ciphers from the scan as a false positive


Sounds like your ASV has politely "shafted" you here IMHO. When identifying vulnerabilities, they should also supply a solution or mitigation - you or anyone could do the scan yourself if you only had to find holes!

Did they give you a report? (Not asking you to share it, it's confidential). Within it there should be information on the weak cipher support, and what port it was found on, leading you to the affected service, and the suggested solution should be there.

If not, I think you'll have to contact the vendor (so try to confirm it is Citrix first if you're unsure). They should either be able to advise of a fix, or provide one - and remember if it's causing you to fail PCI-DSS compliance, you won't be alone, so a fix should be forthcoming.
If this were Windows/IIS or similar, the change can be made in the registry, but not likely to work in this case.

For reference we had this issue with one product - HP System Management Homepage, part of the core SmartStart stuff lobbed on a HP server during build. The only solution was to get rid of it because teh vendor couldn't provide instructions on how to drop weak cipher support. Much easier to do with superfluous management tools than what you're talking about though!

Best of luck - if I can help further just ask.

Would it be possible to paste the result of "sh lic" from the cli,  You can find access to this from "System - diagnostics - command line interface" if you are using the gui.

This will let us know if the virtual device has been licensed correctly.  Due to export laws, the NetScaler doesn't enable all of the encryption cyphers until it has been licensed.


This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
All Courses

From novice to tech pro — start learning today.