EMS TLS extension enforcement causing capacity issue In ADC

Perform the following workarounds based on each respective issue encountered:

1. Workaround for Intermittent TLS failures

Remove Diffie-Hellman (DHE) ciphers from the front end (towards the client) and back-end of the Citrix ADC

https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances/configure-user-defined-cipher-groups-on-the-adc-appliance.html

2. Workaround for Compatibility issues with TLS EMS

Disable TLS session resumption the back end of the ADC (session resumption is enabled by default)

  • To disable TLS session resumption on the back-end using CLI:
    • Set ssl <service name> -sessReuse disabled
  • To disable TLS session resumption on the back-end using GUI:
    • Go to Traffic Management > Load Balancing > Services > select the SSL service on which you wish to disable Session reuse > Edit > SSL Parameters > uncheck enable session reuse

If the customer is using client certificate-based authentication, then:

  • Disable TLS renegotiation as well as the step above. Disabling TLS renegotiation should be done on the front end and can be achieved as described in CTX123680

3. Workaround for Increased ADC CPU and SSL hardware load

Citrix supports TLS EMS from build 13.0-61.48 , so the workarounds above are no longer necessary if you are on the mentioned build.

The longer-term solution for the industry is TLS 1.3, which performs TLS key binding similar to TLS EMS.

*Prioritizing ECDHE over DHE will help for 5900, 8900, 15000, 26000 variation models. For older models, please contact PM.

Related:

  • No Related Posts

Leave a Reply