HOWTO: Fix Citrix Netscaler and the SSL TLS Renegotiation Vulnerability

If you're having problems passing your vulnerability scans and you have a Citrix Netscaler Application Delivery Appliance, here are the links to the Citrix KB articles which describe how to resolve the issue.

The initial article (at describes the basic issue and states that "an interim fix has been released" and you must be running a certain Netscaler firmware version or higher to get the fix. The article also references another Citrix KB article ( with "information on configuring Citrix Netscaler" however it's not very clear that there is required additional configuration in order to remedy the vulnerability.

Basically you have to run the following command at the configuration shell of the Netscaler device:

set ssl parameter -denySSLReneg ( NO | FRONTEND_CLIENT | FRONTEND_CLIENTSERVER | ALL )

Choose the best option that is suitable for your environment.

So, in essence, all the information is sort of available, but even if you read very carefully it might not be obvious.

Enjoy your Netscaler,