amigan_99
asked on
Netscaler - multiple elliptic curve lines of config for each SSL VIP - why?
When I look at the elliptic curve information for some VIPs in my Netscaler Load Balancer - I see
that there might be four or five lines dedidicated to elliptic curves. I forget the numbers
but one might be 128, 164, then 256, then 324 - let's say. Now I understand the larger the
number the higher the encryption level. But why would a vip have several elliptic curves
associated with it instead of just one?
that there might be four or five lines dedidicated to elliptic curves. I forget the numbers
but one might be 128, 164, then 256, then 324 - let's say. Now I understand the larger the
number the higher the encryption level. But why would a vip have several elliptic curves
associated with it instead of just one?
ASKER
I think you must be referring to RSA keying. The elliptic curve figures on the Netscaler appliance are much smaller. An example is below.
bind ssl vserver mobygrape -eccCurveName P_256
bind ssl vserver mobygrape -eccCurveName P_384
bind ssl vserver mobygrape -eccCurveName P_224
bind ssl vserver mobygrape -eccCurveName P_521
So the question is - why would I need to bind mobygrape to four different eccCurveNames?
bind ssl vserver mobygrape -eccCurveName P_256
bind ssl vserver mobygrape -eccCurveName P_384
bind ssl vserver mobygrape -eccCurveName P_224
bind ssl vserver mobygrape -eccCurveName P_521
So the question is - why would I need to bind mobygrape to four different eccCurveNames?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks much. It's a little thing I've always wondered!
A certificate-key pair is required for HTTPS access to the NetScaler configuration utility. On a NetScaler ADC, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HTTPS access to the VPX configuration utility is blocked.
Citrix recommends that you install a certificate-key pair of at least 1024 bytes and bind it to the internal service for HTTPS access to the configuration utility or update the ns-server-certificate to 1024 bytes. You can use HTTP access to the configuration utility or the NetScaler command line to install the certificate.