MozillaWiki

Security/Server Side TLS: Difference between revisions

Page Discussion

Security/Server Side TLS (view source)

Revision as of 19:50, 22 November 2013

744 bytes added ,  22 November 2013
→‎Citrix Netscaler
Line 362: Line 362:


== Citrix Netscaler ==
== Citrix Netscaler ==
Netscaler documentation is at http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-supported-ciphers-list-ref.html


The configuration sample below shows how a default ciphersuite object can be created and attached to a vserver.
The configuration sample below shows how a default ciphersuite object can be created and attached to a vserver.
First, create a default ciphersuite that can be used in all vservers.
<pre>
<pre>
add ssl cipher MozillaDefault
> add ssl cipher MozillaDefault
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-AES-128-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher MozillaDefault -cipherName TLS1-AES-256-CBC-SHA
> bind ssl cipher MozillaDefault -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher MozillaDefault -cipherName SSL3-RC4-SHA
> bind ssl cipher MozillaDefault -cipherName SSL3-RC4-SHA
</pre>


add ssl certKey <domain> -cert <cert> -key <key>
Second, create a DH parameter. If backward compatibility with Java 6 isn't needed, use 2048 instead of 1024.
add ssl certKey <intermediateCertName> -cert <intermediateCertName>
<pre>
link ssl certKey <domain> <intermediateCertName>
> create ssl dhparam /nsconfig/ssl/dh1024.pem 1024 -gen 5
set ssl vserver <domain>:https -eRSA ENABLED
bind ssl vserver <domain>:https -cipherName MozillaDefault
</pre>
</pre>
The configuration can be viewed with the following commands: ''show ssl cipher MozillaDefault''


Third, configure the vserver to use the default ciphersuite and DH parameter.
<pre>
> add ssl certKey <domain> -cert <cert> -key <key>
> add ssl certKey <intermediateCertName> -cert <intermediateCertName>
> link ssl certKey <domain> <intermediateCertName>
> set ssl vserver <domain>:https -eRSA ENABLED
> bind ssl vserver <domain>:https -cipherName MozillaDefault -dh ENABLED -dhFile /nsconfig/ssl/dh1024.pem -dhCount 1000
</pre>
The resulting configuration can be viewed with 'show ssl'
<pre>
<pre>
> show ssl vserver marketplace.firefox.com:https
> show ssl vserver marketplace.firefox.com:https
 
     Advanced SSL configuration for VServer marketplace.firefox.com:https:
     Advanced SSL configuration for VServer marketplace.firefox.com:https:
     DH: DISABLED
     DH: ENABLED    DHParam File: /nsconfig/ssl/dh1024.pem    Refresh Count: 1000
     Ephemeral RSA: ENABLED        Refresh Count: 0
     Ephemeral RSA: ENABLED        Refresh Count: 0
     Session Reuse: ENABLED        Timeout: 120 seconds
     Session Reuse: ENABLED        Timeout: 120 seconds
Line 400: Line 411:
     Push Encryption Trigger: Always
     Push Encryption Trigger: Always
     Send Close-Notify: YES
     Send Close-Notify: YES
1)    CertKey Name: marketplace.mozilla.org.san    Server Certificate
1)    Cipher Name: MozillaSecure    Description: User Created Cipher Group
</pre>
</pre>


Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/768598"