I'm once again shamelessly copy/pasting a new post on here. I don't feel too ashamed of it, since I did actually write the original post. It turns out we have MySites at work, and that the Blog feature is enabled! I'll very likely be posting in both places as the life of this Blog thing draws onward.
***
There's been a lot of chatter about the Heartbleed SSL vulnerability in the
last couple of weeks, and rightfully so. One place folks seem to love going is
over to SSLLabs, since they have a server tester you can
run to determine what kind of safety grade – A to F – you get.
At the outset, my tests of the BOC Link and MyChart sites generated giant,
terrifyingly red "F" results. This was not due to Heartbleed, thank goodness,
since the NetScalers do not use an affected version of OSSL, and none of my web
servers use OSSL at all. What failed me instead was another, slightly older
vulnerability: SSL renegotiation.
Both BOC Link and MyChart run behind a NetScaler
virtual VPX appliance running v10.0.x of the software. Out of the box,
NetScalers are configured to allow all SSL renegotiation in all forms, whether
initiated from the client connection or the server. A quick check at the console
will tell you the current status of the parameter:
> show ssl
parameter
Advanced SSL
Parameters
-----------------------
SSL quantum size: 8 kB
Max CRL memory size:
256 MB
Strict CA checks: NO
Encryption trigger
timeout 100 mS
Send Close-Notify YES
Encryption trigger
packet count: 45
Deny SSL Renegotiation NO
Subject/Issuer Name
Insertion Format: Unicode
OCSP cache size: 10 MB
Push flag: 0x0 (Auto)
Strict Host Header
check for SNI enabled SSL sessions: NO
PUSH encryption
trigger timeout: 1 ms
Global undef action
for control policies: CLIENTAUTH
Global Undef action
for data policies: NOOP
Citrix has a pretty handle article on what exactly the
–denySSLReneg parameter is, what its options are, and how to
change it. See it
here.
Here's the command:
> set ssl parameter
-denySSLReneg NONSECURE
Done
By setting the Deny SSL Renegotiation option to NONSECURE,
I've corrected the renegotiation vulnerability without (hopefully) creating any
compatibility issues for our Link and MyChart users. This setting appears to be
global, so affecting this change raised the scores of both sites from "F" to
"A-" (RC4 ciphers, indeed!) simultaneously.
> show ssl
parameter
Advanced SSL
Parameters
-----------------------
SSL quantum size: 8 kB
Max CRL memory size:
256 MB
Strict CA checks: NO
Encryption trigger
timeout 100 mS
Send Close-Notify YES
Encryption trigger
packet count: 45
Deny SSL Renegotiation NONSECURE
Subject/Issuer Name
Insertion Format: Unicode
OCSP cache size: 10 MB
Push flag: 0x0 (Auto)
Strict Host Header
check for SNI enabled SSL sessions: NO
PUSH encryption
trigger timeout: 1 ms
Global undef action
for control policies: CLIENTAUTH
Global Undef action
for data policies: NOOP
No comments:
Post a Comment