创建并应用新的密码套件

密码套件是认证、加密、信息验证码（MAC）和密钥交换算法的组合，用于协商 SSL 和 TLS 协议的安全设置。

要保证正确的身份验证，必须确保 Citrix Netscaler VPX 使用最佳的密码组合。

要了解有关 SSL 密码套件和其他最佳实践的更多信息，请访问以下链接：

• SSL 和 TLS 部署最佳实践
• 如何在 NetScaler? 上设置 ECC？

要创建新的密码套件以对 AEAD、ECDHE 和 ECDSA 密码划分优先级，请执行以下过程：

1. 在 Citrix VPX CLI 中同时输入以下命令，并确保全部应用：

   	add ssl cipher SSLLABS
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
   	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
   	bind ssl cipher SSLLABS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
   	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES128-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1-ECDHE-RSA-AES256-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
   	bind ssl cipher SSLLABS -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
   	bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1-AES-128-CBC-SHA
   	bind ssl cipher SSLLABS -cipherName TLS1-AES-256-CBC-SHA
   

   先前命令的语法如下：

   	add ssl cipher <cipherGroupName>
   	bind ssl cipher <cipherGroupName> -cipherName <string>
   

2. 确认密码已添加到 Citrix Netscaler VPX 中：

   	> show ssl cipher SSLLABS
   	1)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256       Priority : 1
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02b
   	2)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384       Priority : 2
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc02c
   	3)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-SHA256   Priority : 3
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA-256   HexCode=0xc023
   	4)      Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-SHA384   Priority : 4
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA-384   HexCode=0xc024
   	5)      Cipher Name: TLS1-ECDHE-ECDSA-AES128-SHA        Priority : 5
   	        Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(128)  Mac=SHA1   HexCode=0xc009
   	6)      Cipher Name: TLS1-ECDHE-ECDSA-AES256-SHA        Priority : 6
   	        Description: SSLv3 Kx=ECC-DHE  Au=ECDSA Enc=AES(256)  Mac=SHA1   HexCode=0xc00a
   	7)      Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 7
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02f
   	8)      Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 8
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc030
   	9)      Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256    Priority : 9
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA-256   HexCode=0xc027
   	10)     Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384    Priority : 10
   	        Description: TLSv1.2 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA-384   HexCode=0xc028
   	11)     Cipher Name: TLS1-ECDHE-RSA-AES128-SHA  Priority : 11
   	        Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0xc013
   	12)     Cipher Name: TLS1-ECDHE-RSA-AES256-SHA  Priority : 12
   	        Description: SSLv3 Kx=ECC-DHE  Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0xc014
   	13)     Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256   Priority : 13
   	        Description: TLSv1.2 Kx=DH       Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0x009e
   	14)     Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384   Priority : 14
   	        Description: TLSv1.2 Kx=DH       Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0x009f
   	15)     Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA       Priority : 15
   	        Description: SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0x0033
   	16)     Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA       Priority : 16
   	        Description: SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0x0039
   	17)     Cipher Name: TLS1-AES-128-CBC-SHA       Priority : 17
   	        Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1   HexCode=0x002f
   	18)     Cipher Name: TLS1-AES-256-CBC-SHA       Priority : 18
   	        Description: SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1   HexCode=0x0035
   	Done
   

3. 解除虚拟服务器上默认密码套件的绑定，并绑定上一步创建的自定义组：

   unbind ssl vserver https_vip2 -cipherName DEFAULT
   
   bind ssl vserver https_vip2 -cipherName SSLLABS
   
   bind ssl vserver https_vip2 -eccCurveName ALL
   

   先前命令的语法如下：

   unbind ssl cipher <cipherGroupName> -cipherName <string>
   bind ssl vserver <vServerName> -cipherName <string>
   bind ssl vserver <vServerName> -eccCurveName <eccCurveName>
   

4. 确认虚拟服务器中的更改：

   	> show ssl vserver https_vip2
   
   	[OUTPUT OMITTED]
   		ECC Curve: P_256, P_384, P_224, P_521
   
   	1)      CertKey Name: hsmclient7ns      Server Certificate
   
   	1)      Cipher Name: SSLLABS
   		Description: User Created Cipher Group
   	Done
   

5. (可选）启用 HTTP 重定向功能，以便在用户创建 HTTP 请求时将其重定向到安全网站（而不是 HTTPS ）。

   有关配置说明，请参阅 如何在 NetScaler 上配置 HTTP 到 HTTPS 重定向。

6. 打开网络浏览器，输入 FQDN，测试 HTTPS 连接。 网站加载的内容由 Citrix VPX 后面的 HTTP 服务呈现。

   您也可以通过点击浏览器 URL 旁边的挂锁图标来查看证书详情，以显示证书信息。

   如果在第五步中配置了重定向，则在使用 HTTP 请求时加载安全网站。