SSL Handshake Failure on NetScaler Because of Unsupported Ciphers

Ciphers and Protocols Compatibility

Not all cipher types are supported with different protocols. For example, the AES cipher is not supported when using SSLv3. For list of NetScaler supported ciphers, see Citrix Documentation – Ciphers Supported by the NetScaler Appliance

SSL Cipher List Empty

NetScaler will send a FATAL ALERT to the back end server even if the SSL cipher list in the SERVICES Tab is empty.

User-added image

But this time the FATAL ALERT will be sent even before the TCP handshake is completed.

User-added image

So make sure that the Cipher list is not empty.

By default ALL the ciphers are allowed or enabled on Service/Service Group and when the virtual server is created the DEFAULT cipher group is bound by default as shown below:

User-added image

User-added image

So unless the cipher group or cipher is unbound explicitly, FATAL ALERT will not be sent before the TCP handshake is completed.


  • No Related Posts

Leave a Reply