EMS TLS extension enforcement causing capacity issue In ADC

Two effects have been observed on Citrix ADC appliances (with 2 solutions listed below):

1: With the security patch applied, the server will enforce Extended Master Secret (EMS) handshakes and if the peer (client/server) does not support EMS then all SSL session reuse requests will fall back to full handshakes. Doing a full handshake is much more CPU intensive when compared to a reuse-handshake, leading to increased load on the ADC.

Workaround: Go to Windows Server to disable EMS settings. No changes required on ADC if EMS is disabled.

Refer to: https://support.microsoft.com/en-us/help/3081320/ms15-121-security-update-for-schannel-to-address-spoofing-november-10

2: Microsoft server will choose ECDHE and DHE (perfect forward secrecy (PFS) ciphers) as a first preference which will increase workload on platforms.

Workaround: For platforms that are not as equipped to handle increased ECDHE/DHE loads, it is recommended to bind non-ECDHE/non-DHE ciphers on the backend service or service group to reduce the load.

Refer to: https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances/configure-user-defined-cipher-groups-on-the-adc-appliance.html


  • No Related Posts

Leave a Reply