Improve company productivity with a Business Account.Sign Up


Citrix Netscaler weak ciphers

Posted on 2011-03-24
Medium Priority
Last Modified: 2016-10-25
My PCI compliance test failed with weak and medium ciphers.
I suspect the problem is with the netscaler vpx we are using

NS9.2: Build,

Can someone walk me through to check i am using ssl v3 only and where i can disable weak ciphers and use only strong ones from the netscaler web interface?

I need a step by step as i am not familiar with configuring the netscaler

Question by:mrbrain646

Expert Comment

ID: 35214101

Sounds like your ASV has politely "shafted" you here IMHO. When identifying vulnerabilities, they should also supply a solution or mitigation - you or anyone could do the scan yourself if you only had to find holes!

Did they give you a report? (Not asking you to share it, it's confidential). Within it there should be information on the weak cipher support, and what port it was found on, leading you to the affected service, and the suggested solution should be there.

If not, I think you'll have to contact the vendor (so try to confirm it is Citrix first if you're unsure). They should either be able to advise of a fix, or provide one - and remember if it's causing you to fail PCI-DSS compliance, you won't be alone, so a fix should be forthcoming.
If this were Windows/IIS or similar, the change can be made in the registry, but not likely to work in this case.

For reference we had this issue with one product - HP System Management Homepage, part of the core SmartStart stuff lobbed on a HP server during build. The only solution was to get rid of it because teh vendor couldn't provide instructions on how to drop weak cipher support. Much easier to do with superfluous management tools than what you're talking about though!

Best of luck - if I can help further just ask.

Expert Comment

ID: 35939702

Would it be possible to paste the result of "sh lic" from the cli,  You can find access to this from "System - diagnostics - command line interface" if you are using the gui.

This will let us know if the virtual device has been licensed correctly.  Due to export laws, the NetScaler doesn't enable all of the encryption cyphers until it has been licensed.



Accepted Solution

mrbrain646 earned 0 total points
ID: 36417493
Security Metrics has excluded the weak ciphers from the scan as a false positive

LVL 27

Expert Comment

ID: 36902232
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question