nexxtep
asked on
Disable RC4/ weak ciphers citrix secure gateway 3.3.2 PCI compliance
Running a Windows 2008R2 box with Citrix Secure Gateway 3.2 trying to pass PCI scan noting weak ciphers.
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
I believe these are the ciphers that Citrix Secure Gateway uses for the COM cipher suite
I have done the below to address the issue but the weak cipher finding continues to be a problem
1. Set Citrix to 'limit cipher suites to stream ciphers only' to prevent POODLE which works POODLE is no longer a finding but I believe Citrix is using
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
http://discussions.citrix.com/topic/325412-citrix-secure-gateway-33-pci-compliance-failed/
2. Disabled RC4 ciphers using IISCrypto and verified settings in registry HKLM\SYSTEM\CurrentControl Set\Contro l\Security Providers\ SCHANNEL\C iphers
Ensured RC4 128/128 key existed with DWord value 'Enabled' set to 0x0 these keys exist for all RC4 (64/128, 56/128) etc. also ensure the hotfix 2868725 applied.
https://support.microsoft.com/en-us/kb/245030
https://technet.microsoft.com/en-us/library/security/2868725.aspx
3. Enabled Local group policy for SSL setting the cipher order and removing all RC4 ciphers
Tried setting secure gateway to only use Gov ciphers (SSL_RSA_WITH_3DES_EDE_CBC _SHA) but this setting makes my site unavailable. Had to re-enable COM ciphers.
I am not 100% confident that I can effectively remove RC4 with Citrix secure gateway 3.3.2 being used? Does anyone have insight how to prevent the weak ciphers findings?
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
I believe these are the ciphers that Citrix Secure Gateway uses for the COM cipher suite
I have done the below to address the issue but the weak cipher finding continues to be a problem
1. Set Citrix to 'limit cipher suites to stream ciphers only' to prevent POODLE which works POODLE is no longer a finding but I believe Citrix is using
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
http://discussions.citrix.com/topic/325412-citrix-secure-gateway-33-pci-compliance-failed/
2. Disabled RC4 ciphers using IISCrypto and verified settings in registry HKLM\SYSTEM\CurrentControl
Ensured RC4 128/128 key existed with DWord value 'Enabled' set to 0x0 these keys exist for all RC4 (64/128, 56/128) etc. also ensure the hotfix 2868725 applied.
https://support.microsoft.com/en-us/kb/245030
https://technet.microsoft.com/en-us/library/security/2868725.aspx
3. Enabled Local group policy for SSL setting the cipher order and removing all RC4 ciphers
Tried setting secure gateway to only use Gov ciphers (SSL_RSA_WITH_3DES_EDE_CBC
I am not 100% confident that I can effectively remove RC4 with Citrix secure gateway 3.3.2 being used? Does anyone have insight how to prevent the weak ciphers findings?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry I couldn't help more. I don't have access to any site that has that deployed anymore and haven't in many years, so I don't recall all of the options. Good find with the gov ciphers.
ASKER
I was able to solve the issue myself via trial and error. Other recommendations did not fix the actual issue rather recommended going with up to date product which is the ultimate resolution.
https://www.citrix.com/support/product-lifecycle/legacy-product-matrix.html
I think the VPX (Express) will likely fit your needs and would recommend exploring that option.
http://www.brianmadden.com/blogs/guestbloggers/archive/2013/03/27/with-citrix-ag-and-csg-going-away-how-far-can-you-get-with-netscaler-vpx-the-answer-pretty-far.aspx
https://support.citrix.com/servlet/KbServlet/download/20334-102-696697/CTX121291_v2.pdf