NetScaler: PCIDSS 3.2 Ciphers

7 novembre 2018

Vi allego i comandi per creare un elenco di chipershuite compatibili con la PCIDSS 3.2 su NetScaler 11.1 e 12.0

add ssl cipher PCIDSS32 
bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES-128-SHA256 -cipherPriority 10
bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 9
bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES128-GCM-SHA256 -cipherPriority 8
bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 7
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 6
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 5
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 3
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 2
bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 1

Ricordatevi di disabilitare SSL3 e TLS1

add ssl profile ns_pcidss32_ssl_profile_frontend -sessReuse DISABLED -tls1 DISABLED
set ssl profile ns_pcidss32_ssl_profile_frontend -denySSLReneg NONSECURE
bind ssl profile ns_pcidss32_ssl_profile_frontend -cipherName PCIDSS32 -cipherPriority 1
unbind ssl profile ns_pcidss32_ssl_profile_frontend -cipherName DEFAULT