11.2.4.19. How to specify the encryption scheme of SSL communication (TLS1.2-DHE-RSA-AES-256-SHA256)

Operation Confirmed Version:
 Citrix Netscaler VPX Version11.0 Build67.12 Standard Edition
Method to change the encryption scheme of SSL communication will be introduced here.
If the encryption strength is weak, the communication cannot be concealed and has higher risk of interception or alteration. For communication, the same level of encryption has to be usable in the client (user) side.

Presumed case for sample setting

  • Specify the encryption scheme to (TLS1.2-DHE-RSA-AES-256-SHA256) and connect from the client by OpenSSL. Check that the connection is made by the specified encryption scheme.

Note

In this scenario, 2048 bit DH Key prepared in advance is used and the key is exchanged by DH Method.

Configuration diagram
Fig18901
Select the Virtual Server to change the setting and click the [ Edit ] button.
Fig18902
The details screen of the Virtual Server will be displayed. Click the Edit icon in the [ SSL Ciphers ].

Note

If items of SSL Ciphers are not displayed, select [ +SSL Ciphers ] from [ Advanced Settings ] in the right side of the screen.

Fig18903
Specify the following encryption scheme on the SSL Ciphers screen.

Setting Items

Setting value

Configured

TLS1.2-DHE-RSA-AES-256-SHA256 (encryption scheme to specify)

Click the [ +Add ] button from the SSL Ciphers screen.
Fig18904
The List of Available Ciphers screen will be displayed. Select [ TLS1.2-DHE-RSA-AES-256-SHA256 ] from [ ALL ] and click the right triangle to move the target [ Cipher Suite ] to [ Configured ].
Fig18905
The specified encryption scheme is added to the right side. Delete [ DEFAULT ] that is already set, by clicking “-” mark.
Fig18906

Note

As we want to use the specified encryption level [ TLS1.2-DHE-RSA-AES-256-SHA256 ] only, other items are removed from the Settings.

When addition in the right side of the screen is complete, click [ OK ].
Fig18907

Note

It is also possible to select multiple encryption levels here. Multiple encryption levels can be enabled by adding encryption levels you want to use in the right side of the screen.

The details screen of the Virtual Server will be displayed. Check that [ TLS1.2-DHE-RSA-AES-256-SHA256 ] is displayed in [ Configured ] of [ SSL Ciphers ].
Fig18908
Click the Edit icon in the [ SSL Parameters ] to set the DH Key.
Fig18909

Note

If items of SSL Parameters are not displayed, select [ +SSL Parameters ] from [ Advanced Settings ] in the right side of the screen.

The following settings are made on SSL Parameters screen. Click the [ OK ] button.

Setting Items

Setting value

Enable DH Param

Check mark

File Path

Specify DH Key from the [ Browse ] button.

Fig18910
We will be brought back to the SSL Parameters screen. Click the [ Done ] button in the bottom right corner of the page.
Fig18911
On the Virtual Server screen, check that the target [ State ] and the [ Effective State ] are [ Up ].
Fig18912
This completes the setting to specify the encryption scheme for SSL communication.

Connection check by Openssl

From the Virtual PC to the Virtual Server, execute the following command from Openssl.

openssl s_client -connect 192.168.200.200:443 -showcerts

[ Execution Result ]
Fig18913
It was confirmed that the connection is made by the specified encryption scheme.