1. Workaround for Intermittent TLS failures
Remove Diffie-Hellman (DHE) ciphers from the front end (towards the client) and back-end of the Citrix ADC
2. Workaround for Compatibility issues with TLS EMS
Disable TLS session resumption the back end of the ADC (session resumption is enabled by default)
- To disable TLS session resumption on the back-end using CLI:
- Set ssl <service name> -sessReuse disabled
- To disable TLS session resumption on the back-end using GUI:
- Go to Traffic Management > Load Balancing > Services > select the SSL service on which you wish to disable Session reuse > Edit > SSL Parameters > uncheck enable session reuse
If the customer is using client certificate-based authentication, then:
- Disable TLS renegotiation as well as the step above. Disabling TLS renegotiation should be done on the front end and can be achieved as described in CTX123680
3. Workaround for Increased ADC CPU and SSL hardware load
- To reduce the CPU and SSL hardware impact of full TLS handshakes, prioritize the more efficient Elliptic-curve variant of Diffie-Hellman (ECDHE) above (classic) Diffie-Hellman (DHE). This maintains forward secrecy of Elliptic-curve Diffie-Hellman on that path.*
- This priority change for ECDHE should be done on both the front end (towards the clients) and the back-end, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdhe-ciphers.html and https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances/leverage-hardware-and-software-to-improve-ecdhe-and-ecdsa-cipher-performance.html.
- If the network on the back-end is within a secure perimeter, further CPU and SSL hardware load reduction is possible by disabling both ECDHE and DHE on the back-end. This can be configured with a service group, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances/configure-user-defined-cipher-groups-on-the-adc-appliance.html
Citrix supports TLS EMS from build 13.0-61.48 , so the workarounds above are no longer necessary if you are on the mentioned build.
The longer-term solution for the industry is TLS 1.3, which performs TLS key binding similar to TLS EMS.
*Prioritizing ECDHE over DHE will help for 5900, 8900, 15000, 26000 variation models. For older models, please contact PM.