ADC CLI Commands

ssl-parameter

June 28, 2023

Contributed by:

The following operations can be performed on “ssl-parameter”:

unset

show

set

unset ssl parameter

Use this command to remove ssl parameter settings.Refer to the set ssl parameter command for meanings of the arguments.

Synopsis

unset ssl parameter [-quantumSize] [-crlMemorySizeMB] [-strictCAChecks] [-sslTriggerTimeout] [-sendCloseNotify] [-encryptTriggerPktCount] [-denySSLReneg] [-insertionEncoding] [-ocspCacheSize] [-pushFlag] [-dropReqWithNoHostHeader] [-SNIHTTPHostMatch] [-pushEncTriggerTimeout] [-cryptodevDisableLimit] [-undefActionControl] [-undefActionData] [-defaultProfile] [-softwareCryptoThreshold] [-hybridFIPSMode] [-sigDigestType] [-ssliErrorCache] [-ssliMaxErrorCacheMem] [-insertCertSpace]

show ssl parameter

Displays information about advanced SSL parameters.

Synopsis

show ssl parameter

Arguments

Output

quantumSize Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

crlMemorySizeMB Maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

strictCAChecks Memory size to use for CRLs

sslTriggerTimeout Encryption trigger timer. Set the encryption trigger timeout for transactions, which are not trackable by Citrix ADC. Citrix ADC will use this setting to accumulate data received from the server for the configured time period before pushing it to the crypto hardware for encryption.

sendCloseNotify Send an SSL Close-Notify message to the client at the end of a transaction.

encryptTriggerPktCount Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

denySSLReneg SSL Renegotiation setting

insertionEncoding Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

ocspCacheSize Size, per packet engine, in megabytes of the OCSP cache

pushFlag Insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows: 0 - Auto (PUSH flag is not set.) 1 - Insert PUSH flag into every decrypted record. 2 -Insert PUSH flag into every encrypted record. 3 - Insert PUSH flag into every decrypted and encrypted record.

dropReqWithNoHostHeader Host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension), the request is dropped.

SNIHTTPHostMatch Controls how the HTTP ‘Host’ header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and ‘Client Hello’ arrived with SNI extension) and HTTP request contains ‘Host’ header. Available settings function as follows: CERT - Request is forwarded if the ‘Host’ value is covered by the certificate used to establish this SSL session. Note: ‘CERT’ matching mode cannot be applied in TLS 1.3 connections established by resuming from a previous TLS 1.3 session. On these connections, ‘STRICT’ matching mode will be used instead. STRICT - Request is forwarded only if value of ‘Host’ header in HTTP is identical to the ‘Server name’ value passed in ‘Client Hello’ of the SSL connection. NO - No validation is performed on the HTTP ‘Host’ header value.

pushEncTriggerTimeout PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

cryptodevDisableLimit Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

undefActionControl Global undef action for SSL control policies

undefActionData Global undef action for SSL data policies

defaultProfile Global parameter used to enable default profile feature.

svctls1112disable Disable TLS 1.1 and 1.2 for dynamic and VPN created services.

montls1112disable Disable TLS 1.1 and 1.2 for secure (https) monitors bound to SSL_BRIDGE services.

softwareCryptoThreshold CPU quota (%) to be allocated for crypto acceleration in software. Once the CPU utilization reaches or crosses this limit, CPU won’t be used for driving crypto in software.

hybridFIPSMode When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.

sigDigestType Signature Digest Algorithms that are supported by appliance. Default value is “ALL” and it will enable the following algorithms depending on the platform. On VPX: ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 DSA-SHA1 DSA-SHA224 DSA-SHA256 DSA-SHA384 DSA-SHA512 On MPX with Nitrox-III and coleto cards: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 Others: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512. Note:ALL doesnot include RSA-MD5 for any platform.

ssliErrorCache Enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass.

ssliMaxErrorCacheMem Specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically.

insertCertSpace To insert space between lines in the certificate header of request

set ssl parameter

Synopsis

set ssl parameter [-quantumSize ] \[-crlMemorySizeMB <positive\_integer>] \[-strictCAChecks \( YES | NO )] \[-sslTriggerTimeout <positive\_integer>] \[-sendCloseNotify \( YES | NO )] \[-encryptTriggerPktCount <positive\_integer>] \[-denySSLReneg ] \[-insertionEncoding \( Unicode | UTF-8 )] \[-ocspCacheSize <positive\_integer>] \[-pushFlag <positive\_integer>] \[-dropReqWithNoHostHeader \( YES | NO )] \[-SNIHTTPHostMatch ] \[-pushEncTriggerTimeout <positive\_integer>] \[-cryptodevDisableLimit <positive\_integer>] \[-undefActionControl ] \[-undefActionData ] \[-defaultProfile \( ENABLED | DISABLED )] \[-softwareCryptoThreshold <positive\_integer>] \[-hybridFIPSMode \( ENABLED | DISABLED )] \[-sigDigestType ...] \[-ssliErrorCache \( ENABLED | DISABLED )] \[-ssliMaxErrorCacheMem <positive\_integer>] \[-insertCertSpace \( YES | NO )]

Arguments

quantumSize Amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Possible values: 4096, 8192, 16384 Default value: 8192

strictCAChecks Enable strict CA certificate checks on the appliance.

Possible values: YES, NO Default value: NO

sslTriggerTimeout Time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue. Default value: 100 Minimum value: 1 Maximum value: 200

sendCloseNotify Send an SSL Close-Notify message to the client at the end of a transaction.

Possible values: YES, NO Default value: YES

encryptTriggerPktCount Maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC. Default value: 45 Minimum value: 10 Maximum value: 50

denySSLReneg Deny renegotiation in specified circumstances. Available settings function as follows:

NO - Allow SSL renegotiation.
FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
ALL - Deny all secure and nonsecure SSL renegotiation.
NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Possible values: NO, FRONTEND_CLIENT, FRONTEND_CLIENTSERVER, ALL, NONSECURE Default value: ALL

insertionEncoding Encoding method used to insert the subject or issuer’s name in HTTP requests to servers.

Possible values: Unicode, UTF-8 Default value: Unicode

ocspCacheSize Size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB. Default value: 10 Minimum value: 0 Maximum value: 512

Possible values: YES, NO Default value: NO

Possible values: NO, CERT, STRICT Default value: CERT

pushEncTriggerTimeout PUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings. Default value: 1 Minimum value: 1 Maximum value: 200

cryptodevDisableLimit Limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart. Default value: 0 Minimum value: 0

undefActionControl Name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP. Default value: “CLIENTAUTH”

undefActionData Name of the undefined built-in data action: NOOP, RESET or DROP. Default value: “NOOP”

defaultProfile Global parameter used to enable default profile feature.

Possible values: ENABLED, DISABLED Default value: DISABLED

softwareCryptoThreshold Citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations are not done in software. A value of zero implies that CPU is not utilized for doing crypto in software. Default value: 0 Minimum value: 0 Maximum value: 100

hybridFIPSMode When this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.

Possible values: ENABLED, DISABLED Default value: DISABLED

Default value: ALL

Possible values: ENABLED, DISABLED Default value: DISABLED

insertCertSpace To insert space between lines in the certificate header of request

Possible values: YES, NO Default value: YES

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

ssl-parameter

June 28, 2023

Contributed by:

June 28, 2023

Contributed by:

ssl-parameter

unset ssl parameter

Synopsis

show ssl parameter

Synopsis

Arguments

Output

set ssl parameter

Synopsis

Arguments

In this article