ADC CLI Commands

ssl-profile

The following operations can be performed on “ssl-profile”:

bind unset show set unbind add rm

bind ssl profile

Binds a cipher or ecccurve or certkey to an SSL profile.

Synopsis

bind ssl profile \(\(-cipherName \[-cipherPriority <positive\_integer>]) | -eccCurveName | -ssliCACertkey )

Arguments

name Name of the SSL profile.

cipherName Name of the cipher.

cipherPriority Priority of the cipher binding Minimum value: 1 Maximum value: 1000

eccCurveName Named ECC curve bound to service/vserver.

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

ssliCACertkey The certkey (CA certificate + private key) to be used for SSL interception.

Example

  1. bind ssl profile ssl_prof -cipherName cipher_sha In the above example cipher group cipher_sha is bound to the SSL profile ssl_prof. Priority of cipher_sha will be next available maximum value.
  2. bind ssl profile ssl_prof -cipherName cipher_sha -cipherPriority 5 In the above example cipher group cipher_sha is bound to the SSL profile ssl_prof at cipher priority 5.
  3. bind ssl profile ssl_prof -eccCurveName P_256 In the above example P_256 eccCurve is bound to the SSL profile ssl_prof.
  4. bind ssl profile ssl_prof -ssliCACertkey ca_certkey In the above example the certkey named ca_certkey is bound to the SSL profile ssl_prof.

unset ssl profile

Use this command to remove ssl profile settings.Refer to the set ssl profile command for meanings of the arguments.

Synopsis

unset ssl profile [-ssllogProfile] [-dh] [-dhFile] [-dhCount] [-dhKeyExpSizeLimit] [-eRSA] [-eRSACount] [-sessReuse] [-sessTimeout] [-cipherRedirect] [-cipherURL] [-clientAuth] [-clientCert] [-sslRedirect] [-redirectPortRewrite] [-ssl3] [-tls1] [-tls11] [-tls12] [-tls13] [-SNIEnable] [-allowUnknownSNI] [-ocspStapling] [-serverAuth] [-commonName] [-pushEncTrigger] [-sendCloseNotify] [-clearTextPort] [-insertionEncoding] [-denySSLReneg] [-maxRenegRate] [-quantumSize] [-strictCAChecks] [-encryptTriggerPktCount] [-pushFlag] [-dropReqWithNoHostHeader] [-SNIHTTPHostMatch] [-pushEncTriggerTimeout] [-sslTriggerTimeout] [-clientAuthUseBoundCAChain] [-sslInterception] [-ssliReneg] [-ssliOCSPCheck] [-ssliMaxSessPerServer] [-HSTS] [-maxage] [-IncludeSubdomains] [-preload] [-sessionTicket] [-sessionTicketLifeTime] [-sessionTicketKeyRefresh] [-sessionTicketKeyData] [-sessionKeyLifeTime] [-prevSessionKeyLifeTime] [-cipherName] [-cipherPriority] [-strictSigDigestCheck] [-skipClientCertPolicyCheck] [-zeroRttEarlyData] [-tls13SessionTicketsPerAuthContext] [-dheKeyExchangeWithPsk] [-allowExtendedMasterSecret] [-ALPNProtocol]

show ssl profile

Display all the configured SSL profiles in the system. If a name is specified, then only that profile is shown.

Synopsis

show ssl profile []

Arguments

name Name of the SSL profile for which to show detailed information.

Output

dh State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend profile.

dhFile The file name and path for the DH parameter.

dhCount Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend profile. Allowed DH count values are 0 and >= 500.

dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

eRSA State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. This parameter is not applicable when configuring a backend profile.

eRSACount The refresh count for the re-generation of RSA public-key and private-key pair.

sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

sessTimeout The Session timeout value in seconds.

cipherRedirect State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend profile.

cipherURL The redirect URL to be used with the Cipher Redirect feature.

clientAuth State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. This parameter is not applicable when configuring a backend profile.

clientCert The rule for client certificate requirement in client authentication.

sslRedirect State of HTTPS redirects for the SSL service. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break. This parameter is not applicable when configuring a backend profile.

redirectPortRewrite State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

nonFipsCiphers State of usage of ciphers that are not FIPS approved. Valid only for an SSL service bound with a FIPS key and certificate.

ssl3 State of SSLv3 protocol support for the SSL profile. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

tls1 State of TLSv1.0 protocol support for the SSL profile.

tls11 State of TLSv1.1 protocol support for the SSL profile.

tls12 State of TLSv1.2 protocol support for the SSL profile.

tls13 State of TLSv1.3 protocol support for the SSL profile.

SNIEnable State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

allowUnknownSNI Controls how the handshake is handled when the server name extension does not match any of the bound certificates. These checks are performed only if the session is SNI enabled (i.e. when profile bound to vserver has SNIEnable and Client Hello arrived with SNI extension). Available settings function as follows : ENABLED - handshakes with an unknown SNI are allowed to continue, if a default cert is bound. DISLABED - handshakes with an unknown SNI are not allowed to continue.

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

serverAuth State of server authentication support for the SSL Backend profile.

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

pushEncTrigger Trigger encryption on the basis of the PUSH flag value. Available settings function as follows:

  • ALWAYS - Any PUSH packet triggers encryption.
  • IGNORE - Ignore PUSH packet for triggering encryption.
  • MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
  • TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction.

clearTextPort Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.

insertionEncoding Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

denySSLReneg Deny renegotiation in specified circumstances. Available settings function as follows:

  • NO - Allow SSL renegotiation.
  • FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
  • FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
  • ALL - Deny all secure and nonsecure SSL renegotiation.
  • NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

maxRenegRate Maximum number of renegotiation requests allowed, in one second, to each SSL entity to which this profile is bound. When set to 0, an unlimited number of renegotiation requests are allowed. Applicable only when Deny SSL renegotiation is set to a value other than ALL.

quantumSize Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

strictCAChecks Enable strict CA certificate checks on the appliance.

encryptTriggerPktCount Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

pushFlag Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows: 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record.

dropReqWithNoHostHeader Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.

SNIHTTPHostMatch Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header. Available settings function as follows: CERT - Request is forwarded if the ‘Host’ value is covered by the certificate used to establish this SSL session. Note: ‘CERT’ matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, ‘STRICT’ matching mode will be used instead. STRICT - Request is forwarded only if value of ‘Host’ header in HTTP is identical to the ‘Server name’ value passed in ‘Client Hello’ of the SSL connection. NO - No validation is performed on the HTTP ‘Host’ header value.

pushEncTriggerTimeout PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

sslTriggerTimeout Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.

eccCurveName Named ECC curve bound to vserver/service.

description The cipher suite description.

cipherAliasName/cipherName/cipherGroupName The name of the cipher group/alias/individual cipheri bindings.

cipherPriority cipher priority

cipherName The cipher group/alias/individual cipher configuration

crlCheck The state of the CRL check parameter. (Mandatory/Optional)

ocspCheck The state of the OCSP check parameter. (Mandatory/Optional)

SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

skipCAName The flag is used to indicate whether this particular CA certificate’s CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake

stateflag invoke Invoke flag. This attribute is relevant only for ADVANCED policies

labelType Type of policy label invocation.

sslProfileType Type of profile. Front end profiles apply to the entity that receives requests from a client. Backend profiles apply to the entity that sends client requests to a server.

gslbServiceFlag Indicates that the ssl profile has been bound to gslb service.

clientAuthUseBoundCAChain Certficates bound on the VIP are used for validating the client cert. Certficates came along with client cert are not used for validating the client cert

serviceName Service name.

ssllogProfile The name of the ssllogprofile.

service Service

builtin Flag to determine whether ssl profile is built-in or not

feature The feature to be checked while applying this config

sslpfobjecttype Internal flag to indicate what type of object binds this profile: monitor or service

sslInterception Enable or disable transparent interception of SSL sessions.

ssliCACertkey The certkey (CA certificate + private key) to be used for SSL interception.

ssliVerifyServerCertForReuse Verify the origin server’s certificate before reusing the front-end SSL session. Making it hidden since we always verify for now.

ssliReneg Enable or disable triggering the client renegotiation when renegotiation request is received from the origin server.

ssliOCSPCheck Enable or disable OCSP check for origin server certificate.

ssliMaxSessPerServer Maximum ssl session to be cached per dynamic origin server. A unique ssl session is created for each SNI received from the client on ClientHello and the matching session is used for server session reuse.

sessionTicket This option enables the use of session tickets, as per the RFC 5077

sessionTicketLifeTime This option sets the life time of session tickets issued by NS in secs

sessionTicketKeyRefresh This option enables the use of session tickets, as per the RFC 5077

sessionTicketKeyData Session ticket enc/dec key , admin can set it

sessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs

prevSessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs

HSTS State of HSTS protocol support for the SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

maxage Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server

IncludeSubdomains Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

preload Flag indicates the consent of the site owner to have their domain preloaded.

strictSigDigestCheck Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

skipClientCertPolicyCheck This flag controls the processing of X509 certificate policies. If this option is Enabled, then the policy check in Client authentication will be skipped. This option can be used only when Client Authentication is Enabled and ClientCert is set to Mandatory

zeroRttEarlyData State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

tls13SessionTicketsPerAuthContext Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled.

dheKeyExchangeWithPsk Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

allowExtendedMasterSecret When set to YES, attempt to use the TLS Extended Master Secret (EMS, as described in RFC 7627) when negotiating TLS 1.0, TLS 1.1 and TLS 1.2 connection parameters. EMS must be supported by both the TLS client and server in order to be enabled during a handshake. This setting applies to both frontend and backend SSL profiles.

ALPNProtocol Application protocol supported by the server and used in negotiation of the protocol with the client. Possible values are HTTP1.1, HTTP2 and NONE. Default value is NONE which implies application protocol is not enabled hence remain unknown to the TLS layer. This parameter is relevant only if SSL connection is handled by the virtual server of the type SSL_TCP.

noDefaultBindings When set to YES, the SSL profile will not have default Cipher and Elliptic Curve bindings.

devno count

Example

show ssl profile [profile name]

set ssl profile

Set/modify SSL profile values

Synopsis

set ssl profile \[-ssllogProfile ] \[-dh \( ENABLED | DISABLED ) -dhFile ] \[-dhCount <positive\_integer>] \[-dhKeyExpSizeLimit \( ENABLED | DISABLED )] \[-eRSA \( ENABLED | DISABLED ) \[-eRSACount <positive\_integer>]] \[-sessReuse \( ENABLED | DISABLED ) \[-sessTimeout <positive\_integer>]] \[-cipherRedirect \( ENABLED | DISABLED ) \[-cipherURL ]] \[-clientAuth \( ENABLED | DISABLED ) \[-clientCert \( Mandatory | Optional )]] \[-sslRedirect \( ENABLED | DISABLED )] \[-redirectPortRewrite \( ENABLED | DISABLED )] \[-ssl3 \( ENABLED | DISABLED )] \[-tls1 \( ENABLED | DISABLED )] \[-tls11 \( ENABLED | DISABLED )] \[-tls12 \( ENABLED | DISABLED )] \[-tls13 \( ENABLED | DISABLED )] \[-SNIEnable \( ENABLED | DISABLED ) \[-allowUnknownSNI \( ENABLED | DISABLED )]] \[-ocspStapling \( ENABLED | DISABLED )] \[-serverAuth \( ENABLED | DISABLED )] \[-commonName ] \[-pushEncTrigger ] \[-sendCloseNotify \( YES | NO )] \[-clearTextPort <port|\*>] \[-insertionEncoding \( Unicode | UTF-8 )] \[-denySSLReneg ] \[-maxRenegRate <positive\_integer>] \[-quantumSize ] \[-strictCAChecks \( YES | NO )] \[-encryptTriggerPktCount <positive\_integer>] \[-pushFlag <positive\_integer>] \[-dropReqWithNoHostHeader \( YES | NO )] \[-SNIHTTPHostMatch ] \[-pushEncTriggerTimeout <positive\_integer>] \[-sslTriggerTimeout <positive\_integer>] \[-clientAuthUseBoundCAChain \( ENABLED | DISABLED )] \[-sslInterception \( ENABLED | DISABLED )] \[-ssliReneg \( ENABLED | DISABLED )] \[-ssliOCSPCheck \( ENABLED | DISABLED )] \[-ssliMaxSessPerServer <positive\_integer>] \[-HSTS \( ENABLED | DISABLED )] \[-maxage <positive\_integer>] \[-IncludeSubdomains \( YES | NO )] \[-preload \( YES | NO )] \[-sessionTicket \( ENABLED | DISABLED )] \[-sessionTicketLifeTime <positive\_integer>] \[-sessionTicketKeyRefresh \( ENABLED | DISABLED )] {-sessionTicketKeyData } \[-sessionKeyLifeTime <positive\_integer>] \[-prevSessionKeyLifeTime <positive\_integer>] \[-cipherName -cipherPriority <positive\_integer>] \[-strictSigDigestCheck \( ENABLED | DISABLED )] \[-skipClientCertPolicyCheck \( ENABLED | DISABLED )] \[-zeroRttEarlyData \( ENABLED | DISABLED )] \[-tls13SessionTicketsPerAuthContext <positive\_integer>] \[-dheKeyExchangeWithPsk \( YES | NO )] \[-allowExtendedMasterSecret \( YES | NO )] \[-ALPNProtocol ]

Arguments

name Name for the SSL profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

ssllogProfile The name of the ssllogprofile.

dh State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

dhFile The file name and path for the DH parameter.

dhCount Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend profile. Allowed DH count values are 0 and >= 500. Minimum value: 0 Maximum value: 65534

dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Possible values: ENABLED, DISABLED Default value: DISABLED

eRSA State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

eRSACount The refresh count for the re-generation of RSA public-key and private-key pair. Minimum value: 0 Maximum value: 65534

sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeout The Session timeout value in seconds. Default value: 120 Minimum value: 0 Maximum value: 4294967294

cipherRedirect State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

cipherURL The redirect URL to be used with the Cipher Redirect feature.

clientAuth State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

clientCert The rule for client certificate requirement in client authentication.

Possible values: Mandatory, Optional

sslRedirect State of HTTPS redirects for the SSL service. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

redirectPortRewrite State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssl3 State of SSLv3 protocol support for the SSL profile. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Possible values: ENABLED, DISABLED Default value: DISABLED

tls1 State of TLSv1.0 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls11 State of TLSv1.1 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls12 State of TLSv1.2 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls13 State of TLSv1.3 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

SNIEnable State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Possible values: ENABLED, DISABLED Default value: DISABLED

allowUnknownSNI Controls how the handshake is handled when the server name extension does not match any of the bound certificates. These checks are performed only if the session is SNI enabled (i.e. when profile bound to vserver has SNIEnable and Client Hello arrived with SNI extension). Available settings function as follows : ENABLED - handshakes with an unknown SNI are allowed to continue, if a default cert is bound. DISLABED - handshakes with an unknown SNI are not allowed to continue.

Possible values: ENABLED, DISABLED Default value: DISABLED

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

Possible values: ENABLED, DISABLED Default value: DISABLED

serverAuth State of server authentication support for the SSL Backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

pushEncTrigger Trigger encryption on the basis of the PUSH flag value. Available settings function as follows:

  • ALWAYS - Any PUSH packet triggers encryption.
  • IGNORE - Ignore PUSH packet for triggering encryption.
  • MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
  • TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.

Possible values: Always, Merge, Ignore, Timer

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction.

Possible values: YES, NO Default value: YES

clearTextPort Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.

insertionEncoding Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

Possible values: Unicode, UTF-8 Default value: Unicode

denySSLReneg Deny renegotiation in specified circumstances. Available settings function as follows:

  • NO - Allow SSL renegotiation.
  • FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
  • FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
  • ALL - Deny all secure and nonsecure SSL renegotiation.
  • NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Possible values: NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE Default value: ALL

maxRenegRate Maximum number of renegotiation requests allowed, in one second, to each SSL entity to which this profile is bound. When set to 0, an unlimited number of renegotiation requests are allowed. Applicable only when Deny SSL renegotiation is set to a value other than ALL. Default value: 0 Minimum value: 0 Maximum value: 65535

quantumSize Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Possible values: 4096, 8192, 16384 Default value: 8192

strictCAChecks Enable strict CA certificate checks on the appliance.

Possible values: YES, NO Default value: NO

encryptTriggerPktCount Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC. Default value: 45 Minimum value: 10 Maximum value: 50

pushFlag Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows: 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record. Minimum value: 0 Maximum value: 3

dropReqWithNoHostHeader Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.

Possible values: YES, NO Default value: NO

SNIHTTPHostMatch Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header. Available settings function as follows: CERT - Request is forwarded if the ‘Host’ value is covered by the certificate used to establish this SSL session. Note: ‘CERT’ matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, ‘STRICT’ matching mode will be used instead. STRICT - Request is forwarded only if value of ‘Host’ header in HTTP is identical to the ‘Server name’ value passed in ‘Client Hello’ of the SSL connection. NO - No validation is performed on the HTTP ‘Host’ header value.

Possible values: NO, CERT, STRICT Default value: CERT

pushEncTriggerTimeout PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings. Default value: 1 Minimum value: 1 Maximum value: 200

sslTriggerTimeout Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue. Default value: 100 Minimum value: 1 Maximum value: 200

clientAuthUseBoundCAChain Certficates bound on the VIP are used for validating the client cert. Certficates came along with client cert are not used for validating the client cert

Possible values: ENABLED, DISABLED Default value: DISABLED

sslInterception Enable or disable transparent interception of SSL sessions.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssliReneg Enable or disable triggering the client renegotiation when renegotiation request is received from the origin server.

Possible values: ENABLED, DISABLED Default value: ENABLED

ssliOCSPCheck Enable or disable OCSP check for origin server certificate.

Possible values: ENABLED, DISABLED Default value: ENABLED

ssliMaxSessPerServer Maximum ssl session to be cached per dynamic origin server. A unique ssl session is created for each SNI received from the client on ClientHello and the matching session is used for server session reuse. Default value: 10 Minimum value: 1 Maximum value: 1000

HSTS State of HSTS protocol support for the SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

Possible values: ENABLED, DISABLED Default value: DISABLED

maxage Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server Default value: 0 Minimum value: 0 Maximum value: 4294967294

IncludeSubdomains Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

Possible values: YES, NO Default value: NO

preload Flag indicates the consent of the site owner to have their domain preloaded.

Possible values: YES, NO Default value: NO

sessionTicket This option enables the use of session tickets, as per the RFC 5077

Possible values: ENABLED, DISABLED Default value: DISABLED

sessionTicketLifeTime This option sets the life time of session tickets issued by NS in secs Default value: 300 Minimum value: 0 Maximum value: 172800

sessionTicketKeyRefresh This option enables the use of session tickets, as per the RFC 5077

Possible values: ENABLED, DISABLED Default value: ENABLED

sessionTicketKeyData Session ticket enc/dec key , admin can set it

sessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs Default value: 3000 Minimum value: 600 Maximum value: 86400

prevSessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs Default value: 0 Minimum value: 0 Maximum value: 172800

cipherName The cipher group/alias/individual cipher configuration

cipherPriority cipher priority Minimum value: 1

strictSigDigestCheck Parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

Possible values: ENABLED, DISABLED Default value: DISABLED

skipClientCertPolicyCheck This flag controls the processing of X509 certificate policies. If this option is Enabled, then the policy check in Client authentication will be skipped. This option can be used only when Client Authentication is Enabled and ClientCert is set to Mandatory

Possible values: ENABLED, DISABLED Default value: DISABLED

zeroRttEarlyData State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

Possible values: ENABLED, DISABLED Default value: DISABLED

tls13SessionTicketsPerAuthContext Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled. Default value: 1 Minimum value: 1 Maximum value: 10

dheKeyExchangeWithPsk Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

Possible values: YES, NO Default value: NO

allowExtendedMasterSecret When set to YES, attempt to use the TLS Extended Master Secret (EMS, as described in RFC 7627) when negotiating TLS 1.0, TLS 1.1 and TLS 1.2 connection parameters. EMS must be supported by both the TLS client and server in order to be enabled during a handshake. This setting applies to both frontend and backend SSL profiles.

Possible values: YES, NO Default value: NO

ALPNProtocol Application protocol supported by the server and used in negotiation of the protocol with the client. Possible values are HTTP1.1, HTTP2 and NONE. Default value is NONE which implies application protocol is not enabled hence remain unknown to the TLS layer. This parameter is relevant only if SSL connection is handled by the virtual server of the type SSL_TCP.

Possible values: NONE, HTTP1.1, HTTP2 Default value: NONE

Example

set ssl profile -tls1 ENABLED

unbind ssl profile

Unbinds a cipher or eccCurve or certkey from an SSL profile.

Synopsis

unbind ssl profile \(-cipherName | -eccCurveName | -ssliCACertkey )

Arguments

name Name of the SSL profile

cipherName Name of the cipher.

eccCurveName Named ECC curve bound to service/vserver.

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

ssliCACertkey The certkey (CA certificate + private key) to be used for SSL interception.

Example

unbind ssl profile ssl_profile1 -cipherName cipher_sha

add ssl profile

Add a new SSL profile on the Citrix ADC

Synopsis

add ssl profile \[-sslProfileType ] \[-ssllogProfile ] \[-dhCount <positive\_integer>] \[-dh \( ENABLED | DISABLED ) -dhFile ] \[-eRSA \( ENABLED | DISABLED ) \[-eRSACount <positive\_integer>]] \[-sessReuse \( ENABLED | DISABLED ) \[-sessTimeout <positive\_integer>]] \[-cipherRedirect \( ENABLED | DISABLED ) \[-cipherURL ]] \[-clientAuth \( ENABLED | DISABLED ) \[-clientCert \( Mandatory | Optional )]] \[-dhKeyExpSizeLimit \( ENABLED | DISABLED )] \[-sslRedirect \( ENABLED | DISABLED )] \[-redirectPortRewrite \( ENABLED | DISABLED )] \[-ssl3 \( ENABLED | DISABLED )] \[-tls1 \( ENABLED | DISABLED )] \[-tls11 \( ENABLED | DISABLED )] \[-tls12 \( ENABLED | DISABLED )] \[-tls13 \( ENABLED | DISABLED )] \[-SNIEnable \( ENABLED | DISABLED ) \[-allowUnknownSNI \( ENABLED | DISABLED )]] \[-ocspStapling \( ENABLED | DISABLED )] \[-serverAuth \( ENABLED | DISABLED )] \[-commonName ] \[-pushEncTrigger ] \[-sendCloseNotify \( YES | NO )] \[-clearTextPort <port|\*>] \[-insertionEncoding \( Unicode | UTF-8 )] \[-denySSLReneg ] \[-maxRenegRate <positive\_integer>] \[-quantumSize ] \[-strictCAChecks \( YES | NO )] \[-encryptTriggerPktCount <positive\_integer>] \[-pushFlag <positive\_integer>] \[-dropReqWithNoHostHeader \( YES | NO )] \[-SNIHTTPHostMatch ] \[-pushEncTriggerTimeout <positive\_integer>] \[-sslTriggerTimeout <positive\_integer>] \[-clientAuthUseBoundCAChain \( ENABLED | DISABLED )] \[-sslInterception \( ENABLED | DISABLED )] \[-ssliReneg \( ENABLED | DISABLED )] \[-ssliOCSPCheck \( ENABLED | DISABLED )] \[-ssliMaxSessPerServer <positive\_integer>] \[-sessionTicket \( ENABLED | DISABLED )] \[-sessionTicketLifeTime <positive\_integer>] \[-sessionTicketKeyRefresh \( ENABLED | DISABLED )] {-sessionTicketKeyData } \[-sessionKeyLifeTime <positive\_integer>] \[-prevSessionKeyLifeTime <positive\_integer>] \[-HSTS \( ENABLED | DISABLED )] \[-maxage <positive\_integer>] \[-IncludeSubdomains \( YES | NO )] \[-preload \( YES | NO )] \[-skipClientCertPolicyCheck \( ENABLED | DISABLED )] \[-zeroRttEarlyData \( ENABLED | DISABLED )] \[-tls13SessionTicketsPerAuthContext <positive\_integer>] \[-dheKeyExchangeWithPsk \( YES | NO )] \[-allowExtendedMasterSecret \( YES | NO )] \[-ALPNProtocol ]

Arguments

name Name for the SSL profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

sslProfileType Type of profile. Front end profiles apply to the entity that receives requests from a client. Backend profiles apply to the entity that sends client requests to a server.

Possible values: BackEnd, FrontEnd, QUIC-FrontEnd Default value: FrontEnd

ssllogProfile The name of the ssllogprofile.

dhCount Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend profile. Allowed DH count values are 0 and >= 500. Minimum value: 0 Maximum value: 65534

dh State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

dhFile The file name and path for the DH parameter.

eRSA State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

eRSACount The refresh count for the re-generation of RSA public-key and private-key pair. Minimum value: 0 Maximum value: 65534

sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeout The Session timeout value in seconds. Minimum value: 0 Maximum value: 4294967294

cipherRedirect State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

cipherURL The redirect URL to be used with the Cipher Redirect feature.

clientAuth State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

clientCert The rule for client certificate requirement in client authentication.

Possible values: Mandatory, Optional

dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Possible values: ENABLED, DISABLED Default value: DISABLED

sslRedirect State of HTTPS redirects for the SSL service. For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break. This parameter is not applicable when configuring a backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

redirectPortRewrite State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssl3 State of SSLv3 protocol support for the SSL profile. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Possible values: ENABLED, DISABLED Default value: DISABLED

tls1 State of TLSv1.0 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls11 State of TLSv1.1 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls12 State of TLSv1.2 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls13 State of TLSv1.3 protocol support for the SSL profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

SNIEnable State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Possible values: ENABLED, DISABLED Default value: DISABLED

allowUnknownSNI Controls how the handshake is handled when the server name extension does not match any of the bound certificates. These checks are performed only if the session is SNI enabled (i.e. when profile bound to vserver has SNIEnable and Client Hello arrived with SNI extension). Available settings function as follows : ENABLED - handshakes with an unknown SNI are allowed to continue, if a default cert is bound. DISLABED - handshakes with an unknown SNI are not allowed to continue.

Possible values: ENABLED, DISABLED Default value: DISABLED

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

Possible values: ENABLED, DISABLED Default value: DISABLED

serverAuth State of server authentication support for the SSL Backend profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

pushEncTrigger Trigger encryption on the basis of the PUSH flag value. Available settings function as follows:

  • ALWAYS - Any PUSH packet triggers encryption.
  • IGNORE - Ignore PUSH packet for triggering encryption.
  • MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
  • TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.

Possible values: Always, Merge, Ignore, Timer

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction.

Possible values: YES, NO Default value: YES

clearTextPort Port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.

insertionEncoding Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

Possible values: Unicode, UTF-8 Default value: Unicode

denySSLReneg Deny renegotiation in specified circumstances. Available settings function as follows:

  • NO - Allow SSL renegotiation.
  • FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
  • FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
  • ALL - Deny all secure and nonsecure SSL renegotiation.
  • NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Possible values: NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE Default value: ALL

maxRenegRate Maximum number of renegotiation requests allowed, in one second, to each SSL entity to which this profile is bound. When set to 0, an unlimited number of renegotiation requests are allowed. Applicable only when Deny SSL renegotiation is set to a value other than ALL. Default value: 0 Minimum value: 0 Maximum value: 65535

quantumSize Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Possible values: 4096, 8192, 16384 Default value: 8192

strictCAChecks Enable strict CA certificate checks on the appliance.

Possible values: YES, NO Default value: NO

encryptTriggerPktCount Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC. Default value: 45 Minimum value: 10 Maximum value: 50

pushFlag Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows: 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record. Minimum value: 0 Maximum value: 3

dropReqWithNoHostHeader Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.

Possible values: YES, NO Default value: NO

SNIHTTPHostMatch Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header. Available settings function as follows: CERT - Request is forwarded if the ‘Host’ value is covered by the certificate used to establish this SSL session. Note: ‘CERT’ matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, ‘STRICT’ matching mode will be used instead. STRICT - Request is forwarded only if value of ‘Host’ header in HTTP is identical to the ‘Server name’ value passed in ‘Client Hello’ of the SSL connection. NO - No validation is performed on the HTTP ‘Host’ header value.

Possible values: NO, CERT, STRICT Default value: CERT

pushEncTriggerTimeout PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings. Default value: 1 Minimum value: 1 Maximum value: 200

sslTriggerTimeout Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue. Default value: 100 Minimum value: 1 Maximum value: 200

clientAuthUseBoundCAChain Certficates bound on the VIP are used for validating the client cert. Certficates came along with client cert are not used for validating the client cert

Possible values: ENABLED, DISABLED Default value: DISABLED

sslInterception Enable or disable transparent interception of SSL sessions.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssliReneg Enable or disable triggering the client renegotiation when renegotiation request is received from the origin server.

Possible values: ENABLED, DISABLED Default value: ENABLED

ssliOCSPCheck Enable or disable OCSP check for origin server certificate.

Possible values: ENABLED, DISABLED Default value: ENABLED

ssliMaxSessPerServer Maximum ssl session to be cached per dynamic origin server. A unique ssl session is created for each SNI received from the client on ClientHello and the matching session is used for server session reuse. Default value: 10 Minimum value: 1 Maximum value: 1000

sessionTicket This option enables the use of session tickets, as per the RFC 5077

Possible values: ENABLED, DISABLED Default value: DISABLED

sessionTicketLifeTime This option sets the life time of session tickets issued by NS in secs Default value: 300 Minimum value: 0 Maximum value: 172800

sessionTicketKeyRefresh This option enables the use of session tickets, as per the RFC 5077

Possible values: ENABLED, DISABLED Default value: ENABLED

sessionTicketKeyData Session ticket enc/dec key , admin can set it

sessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs Default value: 3000 Minimum value: 600 Maximum value: 86400

prevSessionKeyLifeTime This option sets the life time of symm key used to generate session tickets issued by NS in secs Default value: 0 Minimum value: 0 Maximum value: 172800

HSTS State of HSTS protocol support for the SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

Possible values: ENABLED, DISABLED Default value: DISABLED

maxage Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server Default value: 0 Minimum value: 0 Maximum value: 4294967294

IncludeSubdomains Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

Possible values: YES, NO Default value: NO

preload Flag indicates the consent of the site owner to have their domain preloaded.

Possible values: YES, NO Default value: NO

skipClientCertPolicyCheck This flag controls the processing of X509 certificate policies. If this option is Enabled, then the policy check in Client authentication will be skipped. This option can be used only when Client Authentication is Enabled and ClientCert is set to Mandatory

Possible values: ENABLED, DISABLED Default value: DISABLED

zeroRttEarlyData State of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake. Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

Possible values: ENABLED, DISABLED Default value: DISABLED

tls13SessionTicketsPerAuthContext Number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes. This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection. No tickets are sent if resumption is disabled. Default value: 1 Minimum value: 1 Maximum value: 10

dheKeyExchangeWithPsk Whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake. A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange. If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client. If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

Possible values: YES, NO Default value: NO

allowExtendedMasterSecret When set to YES, attempt to use the TLS Extended Master Secret (EMS, as described in RFC 7627) when negotiating TLS 1.0, TLS 1.1 and TLS 1.2 connection parameters. EMS must be supported by both the TLS client and server in order to be enabled during a handshake. This setting applies to both frontend and backend SSL profiles.

Possible values: YES, NO Default value: NO

ALPNProtocol Application protocol supported by the server and used in negotiation of the protocol with the client. Possible values are HTTP1.1, HTTP2 and NONE. Default value is NONE which implies application protocol is not enabled hence remain unknown to the TLS layer. This parameter is relevant only if SSL connection is handled by the virtual server of the type SSL_TCP.

Possible values: NONE, HTTP1.1, HTTP2 Default value: NONE

Example

add sslProfile -sslProfileType FrontEnd

rm ssl profile

Remove a SSL profile on the Citrix ADC

Synopsis

rm ssl profile

Arguments

name Name of the SSL profile.

Example

rm sslProfile

ssl-profile