ADC CLI Commands

ssl-service

The following operations can be performed on “ssl-service”:

show unbind unset set bind

show ssl service

Displays information about SSL-specific configuration information for all SSL services, or displays detailed information about the specified SSL service.

Synopsis

show ssl service []

Arguments

serviceName Name of the SSL service for which to show detailed information.

Output

crlCheck The state of the CRL check parameter. (Mandatory/Optional)

dh The state of Diffie-Hellman (DH) key exchange support.

dhFile The file name and path for the DH parameter.

dhCount The refresh count for regeneration of DH public-key and private-key from the DH parameter.

dhKeyExpSizeLimit This option enables the use of NIST recommended(NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

eRSA The state of Ephemeral RSA key exchange support. Ephemeral RSA is used for export ciphers

eRSACount The refresh count for re-generation of RSA public-key and pri-vate-key pair.

sessReuse The state of session reuse support.

sessTimeout The session timeout value in seconds.

cipherRedirect The state of Cipher Redirect feature.Cipher Redirect feature can be used to provide more readable information to SSL clients about mismatch in ciphers between the client and the SSL vserver.

cipherURL The redirect URL to be used with the Cipher Redirect feature.

sslv2Redirect The state of SSLv2 Redirect feature.SSLv2 Redirect feature can be used to provide more readable information to SSL client about non-support of SSLv2 protocol on the SSL vserver.

sslv2URL The redirect URL to be used with the SSLv2 Redirect feature.

clientAuth The state of Client-Authentication support.

clientCert The rule for client certificate requirement in client authentication.

sslRedirect The state of HTTPS redirect feature.

redirectPortRewrite The state of port rewrite feature.

nonFipsCiphers The state of usage of non FIPS approved ciphers.

ssl2 The state of SSLv2 protocol support.

ssl3 The state of SSLv3 protocol support.

tls1 The state of TLSv1.0 protocol support.

tls11 The state of TLSv1.1 protocol support.

tls12 The state of TLSv1.2 protocol support.

tls13 The state of TLSv1.3 protocol support.

dtls1 The state of DTLSv1.0 protocol support.

dtls12 The state of DTLSv1.2 protocol support.

SNIEnable The state of SNI extension. Server Name Indication (SNI) helps to enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name.

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

serverAuth The state of Server-Authentication support.

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

cipherAliasName/cipherName/cipherGroupName The cipher group/alias/individual cipher configuration.

cipherName The cipher group/alias/individual cipher configuration

description The cipher suite description.

certkeyName The certificate key pair binding.

policyName The SSL policy binding.

invoke Invoke flag. This attribute is relevant only for ADVANCED policies

labelType Type of policy label invocation.

labelName Name of the label to invoke if the current policy rule evaluates to TRUE.

clearTextPort The clearTextPort settings.

service priority The priority of the policies bound to this SSL service

polinherit Whether the bound policy is a inherited policy or not

ocspCheck Rule to use for the OCSP responder associated with the CA certificate during client authentication. If MANDATORY is specified, deny all SSL clients if the OCSP check fails because of connectivity issues with the remote OCSP server, or any other reason that prevents the OCSP check. With the OPTIONAL setting, allow SSL clients even if the OCSP check fails except when the client certificate is revoked.

pushEncTrigger PUSH packet triggering encryption: Always, Ignore, Merge

CA CA certificate.

SNICert The name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.

gotoPriorityExpression Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

stateflag skipCAName The flag is used to indicate whether this particular CA certificate’s CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction

dtlsProfileName Name of the DTLS profile that contains DTLS settings for the service.

dtlsFlag The flag is used to indicate whether DTLS is set or not

quicFlag eccCurveName Named ECC curve bound to service/vserver.

sslProfile Name of the SSL profile that contains SSL settings for the service.

gslbServiceFlag Indicates that this is a gslb service

strictSigDigestCheck Parameter indicating to check whether peer’s certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC

cipherDefaultOn Flag indicating whether the bound cipher was the DEFAULT cipher, bound at boot time, or any other cipher from the CLI

devno count

Example

An example of output of show ssl service command is as shown below show ssl service svc1

    Advanced SSL configuration for Back-end SSL Service svc1:
    DH: DISABLED
    Ephemeral RSA: ENABLED          Refresh Count: 0
    Session Reuse: ENABLED          Timeout: 300 seconds
    Cipher Redirect: DISABLED
    SSLv2 Redirect: DISABLED
    Server Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED

    1)      Cipher Name: ALL
    Description: Predefined Cipher Alias

unbind ssl service

Unbinds an SSL policy, cipher, and certificate-key pair from an SSL service.

Synopsis

unbind ssl service @ \(\(-policyName \[-priority <positive\_integer>]) | \(\(-certkeyName \[\(-CA \[-crlCheck \( Mandatory | Optional )]) | -SNICert] ) | -cipherName | -eccCurveName ))

Arguments

serviceName Name of the SSL service.

policyName Name of the SSL policy to unbind from the SSL service.

priority Priority of the NOPOLICY (built-in policy) to be unbound. Not required if you are unbinding a user-defined policy. Minimum value: 1 Maximum value: 2147483647

certkeyName The certificate key pair binding.

CA CA certificate.

crlCheck Rule to use for the CRL corresponding to the CA certificate during client authentication. Available settings function as follows:

  • MANDATORY - Deny SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete.
  • OPTIONAL - Allow SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete, but deny if the client certificate is revoked in the CRL.

Possible values: Mandatory, Optional

SNICert Name of the certificate-key pair to bind for use in SNI processing.

cipherName Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher alias.

eccCurveName Named ECC curve bound to service/vserver.

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

Example

unbind ssl service ssl_svc -policyName certInsert_pol

unset ssl service

Use this command to remove ssl service settings.Refer to the set ssl service command for meanings of the arguments.

Synopsis

unset ssl service @ [-dh] [-dhFile] [-dhCount] [-dhKeyExpSizeLimit] [-eRSA] [-eRSACount] [-sessReuse] [-sessTimeout] [-cipherRedirect] [-cipherURL] [-sslv2Redirect] [-sslv2URL] [-clientAuth] [-clientCert] [-sslRedirect] [-redirectPortRewrite] [-ssl2] [-ssl3] [-tls1] [-tls11] [-tls12] [-tls13] [-dtls1] [-dtls12] [-SNIEnable] [-ocspStapling] [-serverAuth] [-commonName] [-sendCloseNotify] [-dtlsProfileName] [-sslProfile] [-strictSigDigestCheck]

set ssl service

Sets the advanced SSL configuration for an SSL service.

Synopsis

set ssl service @ \[-dh \( ENABLED | DISABLED ) -dhFile ] \[-dhCount <positive\_integer>] \[-dhKeyExpSizeLimit \( ENABLED | DISABLED )] \[-eRSA \( ENABLED | DISABLED ) \[-eRSACount <positive\_integer>]] \[-sessReuse \( ENABLED | DISABLED ) \[-sessTimeout <positive\_integer>]] \[-cipherRedirect \( ENABLED | DISABLED ) \[-cipherURL ]] \[-sslv2Redirect \( ENABLED | DISABLED ) \[-sslv2URL ]] \[-clientAuth \( ENABLED | DISABLED ) \[-clientCert \( Mandatory | Optional )]] \[-sslRedirect \( ENABLED | DISABLED )] \[-redirectPortRewrite \( ENABLED | DISABLED )] \[-ssl2 \( ENABLED | DISABLED )] \[-ssl3 \( ENABLED | DISABLED )] \[-tls1 \( ENABLED | DISABLED )] \[-tls11 \( ENABLED | DISABLED )] \[-tls12 \( ENABLED | DISABLED )] \[-tls13 \( ENABLED | DISABLED )] \[-dtls1 \( ENABLED | DISABLED )] \[-dtls12 \( ENABLED | DISABLED )] \[-SNIEnable \( ENABLED | DISABLED )] \[-ocspStapling \( ENABLED | DISABLED )] \[-serverAuth \( ENABLED | DISABLED )] \[-commonName ] \[-pushEncTrigger ] \[-sendCloseNotify \( YES | NO )] \[-dtlsProfileName ] \[-sslProfile ] \[-strictSigDigestCheck \( ENABLED | DISABLED )]

Arguments

serviceName Name of the SSL service.

dh State of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

dhFile Name for and, optionally, path to the PEM-format DH parameter file to be installed. /nsconfig/ssl/ is the default path. This parameter is not applicable when configuring a backend service.

dhCount Number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend service. Allowed DH count values are 0 and >= 500. Minimum value: 0 Maximum value: 65534

dhKeyExpSizeLimit This option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Possible values: ENABLED, DISABLED Default value: DISABLED

eRSA State of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

eRSACount Refresh count for regeneration of RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh). This parameter is not applicable when configuring a backend service. Minimum value: 0 Maximum value: 65534

sessReuse State of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeout Time, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session. Default value: 300 Minimum value: 0 Maximum value: 4294967294

cipherRedirect State of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

cipherURL URL of the page to which to redirect the client in case of a cipher mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. This parameter is not applicable when configuring a backend service.

sslv2Redirect State of SSLv2 Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

sslv2URL URL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from. This parameter is not applicable when configuring a backend service.

clientAuth State of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

clientCert Type of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate. This parameter is not applicable when configuring a backend SSL service. Caution: Define proper access control policies before changing this setting to Optional.

Possible values: Mandatory, Optional

sslRedirect State of HTTPS redirects for the SSL service.

For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect. If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.

This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

redirectPortRewrite State of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssl2 State of SSLv2 protocol support for the SSL service. This parameter is not applicable when configuring a backend service.

Possible values: ENABLED, DISABLED Default value: DISABLED

ssl3 State of SSLv3 protocol support for the SSL service. Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls1 State of TLSv1.0 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls11 State of TLSv1.1 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls12 State of TLSv1.2 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: ENABLED

tls13 State of TLSv1.3 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: DISABLED

dtls1 State of DTLSv1.0 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: ENABLED

dtls12 State of DTLSv1.2 protocol support for the SSL service.

Possible values: ENABLED, DISABLED Default value: DISABLED

SNIEnable State of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Possible values: ENABLED, DISABLED Default value: DISABLED

ocspStapling State of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values: ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake. DISABLED: The appliance does not check the status of the server certificate.

Possible values: ENABLED, DISABLED Default value: DISABLED

serverAuth State of server authentication support for the SSL service.

Possible values: ENABLED, DISABLED Default value: DISABLED

commonName Name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

pushEncTrigger Trigger encryption on the basis of the PUSH flag value. Available settings function as follows:

  • ALWAYS - Any PUSH packet triggers encryption.
  • IGNORE - Ignore PUSH packet for triggering encryption.
  • MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
  • TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.

Possible values: Always, Merge, Ignore, Timer

sendCloseNotify Enable sending SSL Close-Notify at the end of a transaction

Possible values: YES, NO Default value: YES

dtlsProfileName Name of the DTLS profile that contains DTLS settings for the service.

sslProfile Name of the SSL profile that contains SSL settings for the service.

strictSigDigestCheck Parameter indicating to check whether peer’s certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC

Possible values: ENABLED, DISABLED Default value: DISABLED

Example

1)set ssl service sslsvc -dh ENABLED -dhFile /nsconfig/ssl/dh1024.pem -dhCount 500 The above example sets the DH parameters for the SSL service ‘sslsvc’. 2.set ssl service sslsvc -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL service ‘sslsvc’.

bind ssl service

Binds an SSL certificate-key pair or an SSL policy to a transparent SSL service.

Synopsis

bind ssl service @ \(\(-policyName \[-priority <positive\_integer>] \[-gotoPriorityExpression ] \[-invoke \( ) ] ) | \(\(-certkeyName \[\(-CA \[-crlCheck \( Mandatory | Optional ) | -ocspCheck \( Mandatory | Optional )] \[-skipCAName]) | -SNICert] ) | -cipherName | -eccCurveName ))

Arguments

serviceName Name of the SSL service for which to set advanced configuration.

policyName Name of the SSL policy to bind to the service.

priority Priority. Minimum value: 0 Maximum value: 64000

gotoPriorityExpression Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values:

  • NEXT - Evaluate the policy with the next higher priority number.
  • END - End policy evaluation.
  • USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT.
  • An expression that evaluates to a number. If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows:
  • If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next.
  • If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next.
  • If the expression evaluates to a number that is larger than the largest numbered priority, policy evaluation ends.

An UNDEF event is triggered if:

  • The expression is invalid.
  • The expression evaluates to a priority number that is numerically lower than the current policy’s priority.
  • The expression evaluates to a priority number that is between the current policy’s priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label. Default value: “END”

invoke Invoke policies bound to a virtual server, service, or policy label. After the invoked policies are evaluated, the flow returns to the policy with the next-larger priority number.

labelType Type of policy label invocation.

Possible values: vserver, service, policylabel

labelName Name of the policy label, virtual server, or service to invoke if the current policy rule evaluates to TRUE.

certkeyName Name of the certificate-key pair.

CA Name of the CA certificate that issues and signs the intermediate-CA certificate or the end-user client or server certificate.

crlCheck Rule to use for the CRL corresponding to the CA certificate during client authentication. Available settings function as follows:

  • MANDATORY - Deny SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete.
  • OPTIONAL - Allow SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete, but deny if the client certificate is revoked in the CRL.

Possible values: Mandatory, Optional

skipCAName The flag is used to indicate whether this particular CA certificate’s CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake

SNICert Name of the certificate-key pair to bind for use in SNI processing.

ocspCheck Rule to use for the OCSP responder associated with the CA certificate during client authentication. If MANDATORY is specified, deny all SSL clients if the OCSP check fails because of connectivity issues with the remote OCSP server, or any other reason that prevents the OCSP check. With the OPTIONAL setting, allow SSL clients even if the OCSP check fails except when the client certificate is revoked.

Possible values: Mandatory, Optional

cipherName Name of the individual cipher, user-defined cipher group, or predefined (built-in) cipher alias.

eccCurveName Named ECC curve bound to service/vserver.

Possible values: ALL, P_224, P_256, P_384, P_521, X_25519

Example

bind ssl service ssl_svc -policyName certInsert_pol -priority 10

ssl-service