?
Solved

SSLv3 Protocol Flaw on NetScaler

Posted on 2014-10-22
1
Medium Priority
?
1,370 Views
Last Modified: 2016-10-25
Hello,

I have some sites configured on NetScaler 9.3 under Load Balancing and also under GSLB. I am trying to disable SSLv3 and I followed support article http://support.citrix.com/article/CTX200238.

I am also testing my site thru https://www.ssllabs.com/ssltest/index.html but eventhough I disable ssl3 on vserver and service still its coming back Grade F. Insecure Client-Initiated Renegotiation Supported   INSECURE

Any suggestions, do I need to run command for SNIP/MIP, I am doing this for individual site for testing.

Thanks a lot.
0
Comment
Question by:nabeel65
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40398568
probably the citrix need to verify or restart service to ensure config is active. also make sure the actual web/app server does not have sslv3 as well as its front end facing profile NS is just another proxy unless it is terminating SSL on behalf then it is NS that is likely still having the sslv3. also check the server cert presented on browser and see if ssl still used.
https://msandbu.wordpress.com/2014/10/15/citrix-netscaler-and-ssl3-poodle-exploit/

note - If I have other load balanced vServer I can also disable SSL for these vServers, but it is important to check if the clients that are connecting actually support TLS.

also note the rating scheme update in ssltest and it alos includ ethe poodle test as per the sslv3 that greatly impact why you have a F grade https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
Viewers will learn how to use the Hootsuite Dashboard.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question