Score A+ on SSLlabs.com the easy way

Change the following variables below to that of your NetScaler deployment

  • %vServer% to the VIP name of your access gateway
  • “VPX_Group %OR% MPX_Group” – Choose the cipher group to bind, either VPX or MPX

Copy and paste the script via a putty onto your NetScaler CLI

—————Start – Do Not Copy This Line—————
set ssl vserver %vServer% -ssl3 disabled -tls11 enabled -tls12 enabled

 

create ssl dhparam DH-Key 2048 -gen 2

set ssl vserver %vServer% -dh ENABLED -dhFile “/nsconfig/ssl/DH-Key” -dhCount 1000 -eRSA DISABLED

 

add ssl cipher “MPX_Group”

add ssl cipher “VPX_Group”

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-256-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-256-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName SSL3-DES-CBC3-SHA

bind ssl cipher “VPX _Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName SSL3-DES-CBC3-SHA

 

unbind ssl vserver %vServer% -cipherName ALL

bind ssl vserver %vServer% -cipherName “VPX_Group %OR% MPX_Group”

bind ssl vs %vServer% -eccCurveName ALL

 

add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/””max-age=157680000″”/

add rewrite policy pol_sts_force true act_sts_header

bind vpn vserver %vServer% -policy pol_sts_force -priority 100 -gotoPriorityExpression END -type RESPONSE

—————End – Do Not Copy This Line—————

Once the script has completed, Check you server status: Qualys SSL labs

 

 

Advertisement
%d bloggers like this: