HOWTO: Fix Citrix Netscaler and the SSL TLS Renegotiation Vulnerability

If you're having problems passing your vulnerability scans and you have a Citrix Netscaler Application Delivery Appliance, here are the links to the Citrix KB articles which describe how to resolve the issue.

The initial article (at http://support.citrix.com/article/CTX123359) describes the basic issue and states that "an interim fix has been released" and you must be running a certain Netscaler firmware version or higher to get the fix. The article also references another Citrix KB article (http://support.citrix.com/article/CTX123680) with "information on configuring Citrix Netscaler" however it's not very clear that there is required additional configuration in order to remedy the vulnerability.

Basically you have to run the following command at the configuration shell of the Netscaler device:


set ssl parameter -denySSLReneg ( NO | FRONTEND_CLIENT | FRONTEND_CLIENTSERVER | ALL )

Choose the best option that is suitable for your environment.

So, in essence, all the information is sort of available, but even if you read very carefully it might not be obvious.

Enjoy your Netscaler,
Flux.

we recently came across this issue on our netscalers. that article is very deceptive. i have a case with citrix to verify.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.