创建并应用新的密码套件
密码套件是认证、加密、信息验证码(MAC)和密钥交换算法的组合,用于协商 SSL 和 TLS 协议的安全设置。
要保证正确的身份验证,必须确保 Citrix Netscaler VPX 使用最佳的密码组合。
要了解有关 SSL 密码套件和其他最佳实践的更多信息,请访问以下链接:
要创建新的密码套件以对 AEAD、ECDHE 和 ECDSA 密码划分优先级,请执行以下过程:
-
在 Citrix VPX CLI 中同时输入以下命令,并确保全部应用:
add ssl cipher SSLLABS bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES128-SHA bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES256-SHA bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher SSLLABS -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher SSLLABS -cipherName TLS1-AES-256-CBC-SHA
先前命令的语法如下:
add ssl cipher <cipherGroupName> bind ssl cipher <cipherGroupName> -cipherName <string>
-
确认密码已添加到 Citrix Netscaler VPX 中:
> show ssl cipher SSLLABS 1) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 1 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02b 2) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 Priority : 2 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc02c 3) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256 Priority : 3 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA-256 HexCode=0xc023 4) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384 Priority : 4 Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA-384 HexCode=0xc024 5) Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA Priority : 5 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(128) Mac=SHA1 HexCode=0xc009 6) Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA Priority : 6 Description: SSLv3 Kx=ECC-DHE Au=ECDSA Enc=AES(256) Mac=SHA1 HexCode=0xc00a 7) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 7 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02f 8) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 8 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc030 9) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256 Priority : 9 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256 HexCode=0xc027 10) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384 Priority : 10 Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384 HexCode=0xc028 11) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA Priority : 11 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA1 HexCode=0xc013 12) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA Priority : 12 Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA1 HexCode=0xc014 13) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256 Priority : 13 Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=AEAD HexCode=0x009e 14) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384 Priority : 14 Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=AEAD HexCode=0x009f 15) Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA Priority : 15 Description: SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 HexCode=0x0033 16) Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA Priority : 16 Description: SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 HexCode=0x0039 17) Cipher Name: TLS1-AES-128-CBC-SHA Priority : 17 Description: SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 HexCode=0x002f 18) Cipher Name: TLS1-AES-256-CBC-SHA Priority : 18 Description: SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 HexCode=0x0035 Done
-
解除虚拟服务器上默认密码套件的绑定,并绑定上一步创建的自定义组:
unbind ssl vserver https_vip2 -cipherName DEFAULT bind ssl vserver https_vip2 -cipherName SSLLABS bind ssl vserver https_vip2 -eccCurveName ALL
先前命令的语法如下:
unbind ssl cipher <cipherGroupName> -cipherName <string> bind ssl vserver <vServerName> -cipherName <string> bind ssl vserver <vServerName> -eccCurveName <eccCurveName>
-
确认虚拟服务器中的更改:
> show ssl vserver https_vip2 [OUTPUT OMITTED] ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: hsmclient7ns Server Certificate 1) Cipher Name: SSLLABS Description: User Created Cipher Group Done
-
(可选)启用 HTTP 重定向功能,以便在用户创建 HTTP 请求时将其重定向到安全网站(而不是 HTTPS )。
有关配置说明,请参阅 如何在 NetScaler 上配置 HTTP 到 HTTPS 重定向。
-
打开网络浏览器,输入 FQDN,测试 HTTPS 连接。 网站加载的内容由 Citrix VPX 后面的 HTTP 服务呈现。
您也可以通过点击浏览器 URL 旁边的挂锁图标来查看证书详情,以显示证书信息。
如果在第五步中配置了重定向,则在使用 HTTP 请求时加载安全网站。