IBM Cloud Docs
创建并应用新的密码套件

创建并应用新的密码套件

密码套件是认证、加密、信息验证码(MAC)和密钥交换算法的组合,用于协商 SSL 和 TLS 协议的安全设置。

要保证正确的身份验证,必须确保 Citrix Netscaler VPX 使用最佳的密码组合。

要了解有关 SSL 密码套件和其他最佳实践的更多信息,请访问以下链接:

要创建新的密码套件以对 AEAD、ECDHE 和 ECDSA 密码划分优先级,请执行以下过程:

  1. 在 Citrix VPX CLI 中同时输入以下命令,并确保全部应用:

    	add ssl cipher SSLLABS
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
    	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
    	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
    	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES128-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES256-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
    	bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
    	bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1-AES-128-CBC-SHA
    	bind ssl cipher SSLLABS -cipherName TLS1-AES-256-CBC-SHA
    

    先前命令的语法如下:

    	add ssl cipher <cipherGroupName>
    	bind ssl cipher <cipherGroupName> -cipherName <string>
    
  2. 确认密码已添加到 Citrix Netscaler VPX 中:

    	> show ssl cipher SSLLABS
    	1)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256       Priority : 1
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02b
    	2)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384       Priority : 2
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc02c
    	3)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256   Priority : 3
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA-256   HexCode=0xc023
    	4)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384   Priority : 4
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA-384   HexCode=0xc024
    	5)      Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA        Priority : 5
    	        Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA1   HexCode=0xc009
    	6)      Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA        Priority : 6
    	        Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA1   HexCode=0xc00a
    	7)      Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 7
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02f
    	8)      Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 8
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc030
    	9)      Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256    Priority : 9
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA-256   HexCode=0xc027
    	10)     Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384    Priority : 10
    	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA-384   HexCode=0xc028
    	11)     Cipher Name: TLS1-ECDHE-RSA-AES128-SHA  Priority : 11
    	        Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0xc013
    	12)     Cipher Name: TLS1-ECDHE-RSA-AES256-SHA  Priority : 12
    	        Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0xc014
    	13)     Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256   Priority : 13
    	        Description: TLSv1.2 Kx=DH       Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0x009e
    	14)     Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384   Priority : 14
    	        Description: TLSv1.2 Kx=DH       Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0x009f
    	15)     Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA       Priority : 15
    	        Description: SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0x0033
    	16)     Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA       Priority : 16
    	        Description: SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0x0039
    	17)     Cipher Name: TLS1-AES-128-CBC-SHA       Priority : 17
    	        Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0x002f
    	18)     Cipher Name: TLS1-AES-256-CBC-SHA       Priority : 18
    	        Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0x0035
    	Done
    
  3. 解除虚拟服务器上默认密码套件的绑定,并绑定上一步创建的自定义组:

    unbind ssl vserver https_vip2 -cipherName DEFAULT
    
    bind ssl vserver https_vip2 -cipherName SSLLABS
    
    bind ssl vserver https_vip2 -eccCurveName ALL
    

    先前命令的语法如下:

    unbind ssl cipher <cipherGroupName> -cipherName <string>
    bind ssl vserver <vServerName> -cipherName <string>
    bind ssl vserver <vServerName> -eccCurveName <eccCurveName>
    
  4. 确认虚拟服务器中的更改:

    	> show ssl vserver https_vip2
    
    	[OUTPUT OMITTED]
    		ECC Curve: P_256, P_384, P_224, P_521
    
    	1)      CertKey Name: hsmclient7ns      Server Certificate
    
    	1)      Cipher Name: SSLLABS
    		Description: User Created Cipher Group
    	Done
    
  5. (可选)启用 HTTP 重定向功能,以便在用户创建 HTTP 请求时将其重定向到安全网站(而不是 HTTPS )。

    有关配置说明,请参阅 如何在 NetScaler 上配置 HTTP 到 HTTPS 重定向

  6. 打开网络浏览器,输入 FQDN,测试 HTTPS 连接。 网站加载的内容由 Citrix VPX 后面的 HTTP 服务呈现。

    您也可以通过点击浏览器 URL 旁边的挂锁图标来查看证书详情,以显示证书信息。

    如果在第五步中配置了重定向,则在使用 HTTP 请求时加载安全网站。