ssl-vserver¶
The following operations can be performed on "ssl-vserver":
set| unset| bind| unbind| show| stat|
set ssl vserver¶
Sets advanced SSL configuration for an SSL virtual server.
Synopsis¶
set ssl vserver <vServerName>@ [-clearTextPort <port>] [-dh ( ENABLED | DISABLED ) -dhFile <string>] [-dhCount <positive_integer>] [-dhKeyExpSizeLimit ( ENABLED | DISABLED )] [-eRSA ( ENABLED | DISABLED ) [-eRSACount <positive_integer>]] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-cipherRedirect ( ENABLED | DISABLED ) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-sslRedirect ( ENABLED | DISABLED )] [-redirectPortRewrite ( ENABLED | DISABLED )] [-ssl2 ( ENABLED | DISABLED )] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )] [-tls11 ( ENABLED | DISABLED )] [-tls12 ( ENABLED | DISABLED )] [-tls13 ( ENABLED | DISABLED )] [-dtls1 ( ENABLED | DISABLED )] [-dtls12 ( ENABLED | DISABLED )] [-SNIEnable ( ENABLED | DISABLED )] [-ocspStapling ( ENABLED | DISABLED )] [-pushEncTrigger <pushEncTrigger>] [-sendCloseNotify ( YES | NO )] [-dtlsProfileName <string>] [-sslProfile <string>] [-HSTS ( ENABLED | DISABLED )] [-maxage <positive_integer>] [-IncludeSubdomains ( YES | NO )] [-preload ( YES | NO )] [-strictSigDigestCheck ( ENABLED | DISABLED )] [-zeroRttEarlyData ( ENABLED | DISABLED )] [-tls13SessionTicketsPerAuthContext <positive_integer>] [-dheKeyExchangeWithPsk ( YES | NO )]
Arguments¶
vServerName
Name of the SSL virtual server for which to set advanced configuration.
clearTextPort
Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption. Default value: 0 Maximum value: 65534
dh
State of Diffie-Hellman (DH) key exchange.
Possible values: ENABLED, DISABLED Default value: DISABLED
dhFile
Name of and, optionally, path to the DH parameter file, in PEM format, to be installed. /nsconfig/ssl/ is the default path.
dhCount
Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh). Minimum value: 0 Maximum value: 65534
dhKeyExpSizeLimit
This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.
Possible values: ENABLED, DISABLED Default value: DISABLED
eRSA
State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.
Possible values: ENABLED, DISABLED Default value: ENABLED
eRSACount
Refresh count for regeneration of the RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh). Minimum value: 0 Maximum value: 65534
sessReuse
State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.
Possible values: ENABLED, DISABLED Default value: ENABLED
sessTimeout
Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session. Default value: 120 Minimum value: 0 Maximum value: 4294967294
cipherRedirect
State of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.
Possible values: ENABLED, DISABLED Default value: DISABLED
cipherURL
The redirect URL to be used with the Cipher Redirect feature.
sslv2Redirect
State of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.
Possible values: ENABLED, DISABLED Default value: DISABLED
sslv2URL
URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from.
clientAuth
State of client authentication. If client authentication is enabled, the virtual server terminates the SSL handshake if the SSL client does not provide a valid certificate.
Possible values: ENABLED, DISABLED Default value: DISABLED
clientCert
Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate. Caution: Define proper access control policies before changing this setting to Optional.
Possible values: Mandatory, Optional
sslRedirect
State of HTTPS redirects for the SSL virtual server.
For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.
Possible values: ENABLED, DISABLED Default value: DISABLED
redirectPortRewrite
State of the port rewrite while performing HTTPS redirect. If this parameter is ENABLED and the URL from the server does not contain the standard port, the port is rewritten to the standard.
Possible values: ENABLED, DISABLED Default value: DISABLED
ssl2
State of SSLv2 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: DISABLED
ssl3
State of SSLv3 protocol support for the SSL Virtual Server. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls1
State of TLSv1.0 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls11
State of TLSv1.1 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls12
State of TLSv1.2 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: ENABLED
tls13
State of TLSv1.3 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: DISABLED
dtls1
State of DTLSv1.0 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: ENABLED
dtls12
State of DTLSv1.2 protocol support for the SSL Virtual Server.
Possible values: ENABLED, DISABLED Default value: DISABLED
SNIEnable
State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.
Possible values: ENABLED, DISABLED Default value: DISABLED
ocspStapling
State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.
Possible values: ENABLED, DISABLED Default value: DISABLED
pushEncTrigger
Trigger encryption on the basis of the PUSH flag value. Available settings function as follows: * ALWAYS - Any PUSH packet triggers encryption. * IGNORE - Ignore PUSH packet for triggering encryption. * MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption. * TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.
Possible values: Always, Merge, Ignore, Timer
sendCloseNotify
Enable sending SSL Close-Notify at the end of a transaction
Possible values: YES, NO Default value: YES
dtlsProfileName
Name of the DTLS profile whose settings are to be applied to the virtual server.
sslProfile
Name of the SSL profile that contains SSL settings for the virtual server.
HSTS
State of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client
Possible values: ENABLED, DISABLED Default value: DISABLED
maxage
Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server Default value: 0 Minimum value: 0 Maximum value: 4294967294
IncludeSubdomains
Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.
Possible values: YES, NO Default value: NO
preload
Flag indicates the consent of the site owner to have their domain preloaded.
Possible values: YES, NO Default value: NO
strictSigDigestCheck
Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.
Possible values: ENABLED, DISABLED Default value: DISABLED
zeroRttEarlyData
State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.
Possible values: ENABLED, DISABLED Default value: DISABLED
tls13SessionTicketsPerAuthContext
Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled. Default value: 1 Minimum value: 1 Maximum value: 10
dheKeyExchangeWithPsk
Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.
Possible values: YES, NO Default value: NO
Example¶
1)set ssl vserver sslvip -dh ENABLED -dhFile /siteA/dh1024.pem -dhCount 500 The above example set the DH parameters for the SSL virtual server 'sslvip'. 3)set ssl vserver sslvip -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL virtual server 'sslvip'.
unset ssl vserver¶
Use this command to remove ssl vserver settings.Refer to the set ssl vserver command for meanings of the arguments.
Synopsis¶
unset ssl vserver <vServerName>@ [-clearTextPort] [-dh] [-dhFile] [-dhCount] [-dhKeyExpSizeLimit] [-eRSA] [-eRSACount] [-sessReuse] [-sessTimeout] [-cipherRedirect] [-cipherURL] [-sslv2Redirect] [-sslv2URL] [-clientAuth] [-clientCert] [-sslRedirect] [-redirectPortRewrite] [-ssl2] [-ssl3] [-tls1] [-tls11] [-tls12] [-tls13] [-dtls1] [-dtls12] [-SNIEnable] [-ocspStapling] [-sendCloseNotify] [-dtlsProfileName] [-sslProfile] [-HSTS] [-maxage] [-IncludeSubdomains] [-preload] [-strictSigDigestCheck] [-zeroRttEarlyData] [-tls13SessionTicketsPerAuthContext] [-dheKeyExchangeWithPsk]
bind ssl vserver¶
Binds an SSL certificate-key pair or an SSL policy to an SSL virtual server.
Synopsis¶
bind ssl vserver <vServerName>@ ((-policyName <string> [-priority <positive_integer>] [-gotoPriorityExpression <expression>] [-invoke (<labelType> <labelName>) ] [-type <type>]) | ((-certkeyName <string> [(-CA [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )] [-skipCAName]) | -SNICert] ) | -cipherName <string> | -eccCurveName <eccCurveName>))
Arguments¶
vServerName
Name of the SSL virtual server.
policyName
Name of the SSL policy to bind to the SSL virtual server.
priority
Integer specifying the policy's priority. The lower the number, the higher the priority. Minimum value: 0 Maximum value: 64000
gotoPriorityExpression
Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values: * NEXT - Evaluate the policy with the next higher priority number. * END - End policy evaluation. * USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT. * An expression that evaluates to a number. If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows: * If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next. * If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next. * If the expression evaluates to a number that is larger than the largest numbered priority, policy evaluation ends.
An UNDEF event is triggered if: * The expression is invalid. * The expression evaluates to a priority number that is numerically lower than the current policy's priority. * The expression evaluates to a priority number that is between the current policy's priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label. Default value: "END"
invoke
Invoke policies bound to a virtual server, service, or user-defined policy label. After the invoked policies are evaluated, the flow returns to the policy with the next priority.
labelType
Type of policy label to invoke.
Possible values: vserver, service, policylabel
labelName
Name of the policy label, virtual server, or service to invoke if the current policy rule evaluates to TRUE.
type
Bind point to which to bind the policy. Possible Values: REQUEST, INTERCEPT_REQ and CLIENTHELLO_REQ. These bindpoints mean: 1. REQUEST: Policy evaluation will be done at appplication above SSL. This bindpoint is default and is used for actions based on clientauth and client cert. 2. INTERCEPT_REQ: Policy evaluation will be done during SSL handshake to decide whether to intercept or not. Actions allowed with this type are: INTERCEPT, BYPASS and RESET. 3. CLIENTHELLO_REQ: Policy evaluation will be done during handling of Client Hello Request. Action allowed with this type is: RESET, FORWARD and PICKCACERTGRP.
Possible values: INTERCEPT_REQ, REQUEST, CLIENTHELLO_REQ Default value: REQUEST
certkeyName
Name of the certificate-key pair.
CA
Name of the CA certificate that issues and signs the intermediate-CA certificate or the end-user client or server certificate.
crlCheck
Rule to use for the CRL corresponding to the CA certificate during client authentication. Available settings function as follows: * MANDATORY - Deny SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete. * OPTIONAL - Allow SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete, but deny if the client certificate is revoked in the CRL.
Possible values: Mandatory, Optional Default value: CRLCHECK_OPTIONAL
skipCAName
The flag is used to indicate whether this particular CA certificates CA Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake
SNICert
Name of the certificate-key pair to bind for use in SNI processing.
ocspCheck
Rule to use for the OCSP responder associated with the CA certificate during client authentication. If MANDATORY is specified, deny all SSL clients if the OCSP check fails because of connectivity issues with the remote OCSP server, or any other reason that prevents the OCSP check. With the OPTIONAL setting, allow SSL clients even if the OCSP check fails except when the client certificate is revoked.
Possible values: Mandatory, Optional
cipherName
Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher alias.
eccCurveName
Named ECC curve bound to service/vserver.
Possible values: ALL, P_224, P_256, P_384, P_521
Example¶
- bind ssl vserver ssl_vip -certkeyName cert1 In the above example the certificate cert1 is bound to the SSL vserver ssl_vip as server certificate.
- bind ssl vserver ssl_vip -certkeyName cert2 -CA In the above example the certificate cert2 is bound to the SSL vserver ssl_vip as CA certificate.
- bind ssl vserver ssl_vip -certkeyName cert3 -CA -ocspCheck Mandatory In the above example the certificate cert3 is bound to the SSL vserver ssl_vip as CA certificate, with OCSP check set to Mandatory.
- bind ssl vserver ssl_vip -policyName certInsert_pol -priority 10 In the above example the SSL policy certInsert_pol is bound to the SSL vserver ssl_vip with priority 10.
unbind ssl vserver¶
Unbinds an SSL policy, cipher, and certificate-key pair from an SSL virtual server.
Synopsis¶
unbind ssl vserver <vServerName>@ ((-policyName <string> [-priority <positive_integer>] [-type <type>]) | ((-certkeyName <string> [-CA | -SNICert] ) | -cipherName <string> | -eccCurveName <eccCurveName>))
Arguments¶
vServerName
Name of the SSL virtual server.
policyName
Name of the SSL policy to unbind from the SSL virtual server.
priority
Priority of the NOPOLICY (built-in policy) to be unbound. Not required if you are unbinding a user-defined policy. Minimum value: 1 Maximum value: 2147483647
type
Bind point to which to bind the policy. Possible Values: REQUEST, INTERCEPT_REQ and CLIENTHELLO_REQ. These bindpoints mean: 1. REQUEST: Policy evaluation will be done at appplication above SSL. This bindpoint is default and is used for actions based on clientauth and client cert. 2. INTERCEPT_REQ: Policy evaluation will be done during SSL handshake to decide whether to intercept or not. Actions allowed with this type are: INTERCEPT, BYPASS and RESET. 3. CLIENTHELLO_REQ: Policy evaluation will be done during handling of Client Hello Request. Action allowed with this type is: RESET, FORWARD and PICKCACERTGRP.
Possible values: INTERCEPT_REQ, REQUEST, CLIENTHELLO_REQ Default value: REQUEST
certkeyName
The name of the certificate key pair binding.
CA
CA certificate.
SNICert
Name of the SNI certificate-key pair.
cipherName
Name of the cipher.
eccCurveName
Named ECC curve bound to service/vserver.
Possible values: ALL, P_224, P_256, P_384, P_521
Example¶
unbind ssl vserver ssl_vip -policyName certInsert_pol
show ssl vserver¶
Displays SSL specific configuration information for all SSL virtual servers, or displays detailed information for the specified SSL virtual server.
Synopsis¶
show ssl vserver [<vServerName>]
Arguments¶
vServerName
Name of the SSL virtual server for which to show detailed information.
Output¶
clearTextPort
The clearTextPort settings.
dh
The state of Diffie-Hellman (DH) key exchange support.
dhFile
The file name and path for the DH parameter.
dhCount
The refresh count for the re-generation of DH public-key and private-key from the DH parameter.
dhKeyExpSizeLimit
This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.
eRSA
The state of Ephemeral RSA key exchange support.Ephemeral RSA is used for export ciphers
eRSACount
The refresh count for the re-generation of RSA public-key and private-key pair.
sessReuse
The state of session re-use support.
sessTimeout
The Session timeout value in seconds.
cipherRedirect
The state of Cipher Redirect feature.Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.
crlCheck
The state of the CRL check parameter. (Mandatory/Optional)
cipherURL
The redirect URL to be used with the Cipher Redirect feature.
sslv2Redirect
The state of SSLv2 Redirect feature. SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.
sslv2URL
The redirect URL to be used with SSLv2 Redirect feature.
clientAuth
The state of Client-Authentication support.
clientCert
The rule for client certificate requirement in client authentication.
sslRedirect
The state of HTTPS redirect feature support.
priority
The priority of the policies bound to this SSL service
type
Bind point to which to bind the policy. Possible Values: REQUEST, INTERCEPT_REQ and CLIENTHELLO_REQ. These bindpoints mean: 1. REQUEST: Policy evaluation will be done at appplication above SSL. This bindpoint is default and is used for actions based on clientauth and client cert. 2. INTERCEPT_REQ: Policy evaluation will be done during SSL handshake to decide whether to intercept or not. Actions allowed with this type are: INTERCEPT, BYPASS and RESET. 3. CLIENTHELLO_REQ: Policy evaluation will be done during handling of Client Hello Request. Action allowed with this type is: RESET, FORWARD and PICKCACERTGRP.
polinherit
Whether the bound policy is a inherited policy or not
redirectPortRewrite
The state of port rewrite feature support.
nonFipsCiphers
The state of usage of non FIPS approved ciphers.
ssl2
The state of SSLv2 protocol support.
ssl3
The state of SSLv3 protocol support.
tls1
The state of TLSv1.0 protocol support.
tls11
The state of TLSv1.1 protocol support.
tls12
The state of TLSv1.2 protocol support.
tls13
The state of TLSv1.3 protocol support.
dtls1
The state of DTLSv1.0 protocol support.
dtls12
The state of DTLSv1.2 protocol support.
SNIEnable
The state of SNI extension.Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name. State of SNI feature on service
ocspStapling
State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.
cipherAliasName/cipherName/cipherGroupName
The name of the cipher group/alias/individual cipheri bindings.
cipherName
The cipher group/alias/individual cipher configuration
description
The cipher suite description.
service
Service
certkeyName
The name of the certificate key pair binding.
policyName
The name of the SSL policy binding.
invoke
Invoke flag. This attribute is relevant only for ADVANCED policies
labelType
Type of policy label invocation.
labelName
Name of the label to invoke if the current policy rule evaluates to TRUE.
serviceName
Service name.
ocspCheck
The state of the OCSP check parameter. (Mandatory/Optional)
pushEncTrigger
PUSH packet triggering encryption: Always, Ignore, Merge
gotoPriorityExpression
Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.
CA
CA certificate.
SNICert
The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
eccCurveName
Named ECC curve bound to vserver/service.
stateflag
skipCAName
The flag is used to indicate whether this particular CA certificate's CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake
sendCloseNotify
Enable sending SSL Close-Notify at the end of a transaction
dtlsProfileName
Name of the DTLS profile whose settings are to be applied to the virtual server.
dtlsFlag
The flag is used to indicate whether DTLS is set or not
sslProfile
Name of the SSL profile that contains SSL settings for the virtual server.
HSTS
State of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client
maxage
Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server
IncludeSubdomains
Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.
preload
Flag indicates the consent of the site owner to have their domain preloaded.
strictSigDigestCheck
Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.
zeroRttEarlyData
State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.
tls13SessionTicketsPerAuthContext
Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled.
dheKeyExchangeWithPsk
Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.
devno
count
Example¶
An example of the output of the show vserver sslvip command is as follows: sh ssl vserver va1
Advanced SSL configuration for VServer va1:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
1 bound certificate:
1) CertKey Name: buy Server Certificate
1 bound CA certificate:
1) CertKey Name: rtca CA Certificate
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Related Commands¶
stat ssl vserver¶
Displays statistics for all SSL virtual servers, or displays detailed statistics for the specified SSL virtual server.
Synopsis¶
stat ssl vserver [<vServerName>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]
Arguments¶
vServerName
Name of the SSL virtual server for which to show detailed statistics
detail
Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.
fullValues
Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated
ntimes
The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0
logFile
The name of the log file to be used as input.
clearstats
Clear the statsistics / counters
Possible values: basic, full
Output¶
count
devno
stateflag
Counters¶
Vserver Health (Health)
Health of the vserver. This gives percentage of UP services bound to this vserver.
Vserver IP address (vsvrIP)
IP address of the vserver
Port (port)
The port on which the service is running.
Vserver protocol (Protocol)
Protocol associated with the vserver
State
Current state of the server. There are seven possible values: UP(7), DOWN(1), UNKNOWN(2), BUSY(3), OFS(Out of Service)(4), TROFS(Transition Out of Service)(5), TROFS_DOWN(Down When going Out of Service)(8)
total ACTIVE services (actSvcs)
number of ACTIVE services bound to a vserver
Client Authentication Success (sslTotClientAuthSuccess)
Number of successful client authentication on this vserver
Client Authentication Failure (sslTotClientAuthFailure)
Number of failure client authentication on this vserver
Total encrypted bytes (sslCtxTotEncBytes)
Number of encrypted bytes per SSL vserver
Total decrypted bytes (sslCtxTotDecBytes)
Number of decrypted bytes per SSL vserver
Total hardware encrypted bytes (sslCtxTotHwEncBytes)
Number of hardware encrypted bytes per SSL vserver
Total hardware decrypted bytes (sslCtxTotHwDec_Bytes)
Number of hw decrypted bytes per SSL vserver
Total new sessions created (sslCtxTotSessionNew)
Number of new sessions created
Total session hits (sslCtxTotSessionHits)
Number of session hits