Solved

SSLv3 Protocol Flaw on NetScaler

Posted on 2014-10-22
1
1,353 Views
Last Modified: 2016-10-25
Hello,

I have some sites configured on NetScaler 9.3 under Load Balancing and also under GSLB. I am trying to disable SSLv3 and I followed support article http://support.citrix.com/article/CTX200238.

I am also testing my site thru https://www.ssllabs.com/ssltest/index.html but eventhough I disable ssl3 on vserver and service still its coming back Grade F. Insecure Client-Initiated Renegotiation Supported   INSECURE

Any suggestions, do I need to run command for SNIP/MIP, I am doing this for individual site for testing.

Thanks a lot.
0
Comment
Question by:nabeel65
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40398568
probably the citrix need to verify or restart service to ensure config is active. also make sure the actual web/app server does not have sslv3 as well as its front end facing profile NS is just another proxy unless it is terminating SSL on behalf then it is NS that is likely still having the sslv3. also check the server cert presented on browser and see if ssl still used.
https://msandbu.wordpress.com/2014/10/15/citrix-netscaler-and-ssl3-poodle-exploit/

note - If I have other load balanced vServer I can also disable SSL for these vServers, but it is important to check if the clients that are connecting actually support TLS.

also note the rating scheme update in ssltest and it alos includ ethe poodle test as per the sslv3 that greatly impact why you have a F grade https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question