Skip to content

sslvserver

Configuration for SSL virtual server resource.

Properties

(click to see Operations)

NameData TypePermissionsDescription
vservername<String>Read-writeName of the SSL virtual server for which to set advanced configuration.
Minimum length = 1
cleartextport<Integer>Read-writePort on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.
Default value: 0
Minimum value = 0
Maximum value = 65534
dh<String>Read-writeState of Diffie-Hellman (DH) key exchange.
Default value: DISABLED
Possible values = ENABLED, DISABLED
dhfile<String>Read-writeName of and, optionally, path to the DH parameter file, in PEM format, to be installed. /nsconfig/ssl/ is the default path.
Minimum length = 1
dhcount<Double>Read-writeNumber of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies infinite use (no refresh).
Minimum value = 0
Maximum value = 65534
dhkeyexpsizelimit<String>Read-writeThis option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.
Default value: DISABLED
Possible values = ENABLED, DISABLED
ersa<String>Read-writeState of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.
Default value: ENABLED
Possible values = ENABLED, DISABLED
ersacount<Double>Read-writeRefresh count for regeneration of the RSA public-key and private-key pair. Zero (0) specifies infinite usage (no refresh).
Minimum value = 0
Maximum value = 65534
sessreuse<String>Read-writeState of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.
Default value: ENABLED
Possible values = ENABLED, DISABLED
sesstimeout<Double>Read-writeTime, in seconds, for which to keep the session active. Any session resumption request received after the timeout period will require a fresh SSL handshake and establishment of a new SSL session.
Default value: 120
Minimum value = 0
Maximum value = 4294967294
cipherredirect<String>Read-writeState of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.
Default value: DISABLED
Possible values = ENABLED, DISABLED
cipherurl<String>Read-writeThe redirect URL to be used with the Cipher Redirect feature.
sslv2redirect<String>Read-writeState of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.
Default value: DISABLED
Possible values = ENABLED, DISABLED
sslv2url<String>Read-writeURL of the page to which to redirect the client in case of a protocol version mismatch. Typically, this page has a clear explanation of the error or an alternative location that the transaction can continue from.
clientauth<String>Read-writeState of client authentication. If client authentication is enabled, the virtual server terminates the SSL handshake if the SSL client does not provide a valid certificate.
Default value: DISABLED
Possible values = ENABLED, DISABLED
clientcert<String>Read-writeType of client authentication. If this parameter is set to MANDATORY, the appliance terminates the SSL handshake if the SSL client does not provide a valid certificate. With the OPTIONAL setting, the appliance requests a certificate from the SSL clients but proceeds with the SSL transaction even if the client presents an invalid certificate.
Caution: Define proper access control policies before changing this setting to Optional.
Possible values = Mandatory, Optional
sslredirect<String>Read-writeState of HTTPS redirects for the SSL virtual server.

For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.
If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.
Default value: DISABLED
Possible values = ENABLED, DISABLED
redirectportrewrite<String>Read-writeState of the port rewrite while performing HTTPS redirect. If this parameter is ENABLED and the URL from the server does not contain the standard port, the port is rewritten to the standard.
Default value: DISABLED
Possible values = ENABLED, DISABLED
ssl2<String>Read-writeState of SSLv2 protocol support for the SSL Virtual Server.
Default value: DISABLED
Possible values = ENABLED, DISABLED
ssl3<String>Read-writeState of SSLv3 protocol support for the SSL Virtual Server.
Default value: ENABLED
Possible values = ENABLED, DISABLED
tls1<String>Read-writeState of TLSv1.0 protocol support for the SSL Virtual Server.
Default value: ENABLED
Possible values = ENABLED, DISABLED
tls11<String>Read-writeState of TLSv1.1 protocol support for the SSL Virtual Server.
Default value: ENABLED
Possible values = ENABLED, DISABLED
tls12<String>Read-writeState of TLSv1.2 protocol support for the SSL Virtual Server.
Default value: ENABLED
Possible values = ENABLED, DISABLED
tls13<String>Read-writeState of TLSv1.3 protocol support for the SSL Virtual Server.
Default value: DISABLED
Possible values = ENABLED, DISABLED
snienable<String>Read-writeState of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.
Default value: DISABLED
Possible values = ENABLED, DISABLED
ocspstapling<String>Read-writeState of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.
DISABLED: The appliance does not check the status of the server certificate. .
Default value: DISABLED
Possible values = ENABLED, DISABLED
pushenctrigger<String>Read-writeTrigger encryption on the basis of the PUSH flag value. Available settings function as follows:
* ALWAYS - Any PUSH packet triggers encryption.
* IGNORE - Ignore PUSH packet for triggering encryption.
* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter command or in the Change Advanced SSL Settings dialog box.
Possible values = Always, Merge, Ignore, Timer
sendclosenotify<String>Read-writeEnable sending SSL Close-Notify at the end of a transaction.
Default value: YES
Possible values = YES, NO
dtlsprofilename<String>Read-writeName of the DTLS profile whose settings are to be applied to the virtual server.
Minimum length = 1
Maximum length = 127
sslprofile<String>Read-writeName of the SSL profile that contains SSL settings for the virtual server.
Minimum length = 1
Maximum length = 127
hsts<String>Read-writeState of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client.
Default value: DISABLED
Possible values = ENABLED, DISABLED
maxage<Double>Read-writeSet the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server.
Default value: 0
Minimum value = 0
Maximum value = 4294967294
includesubdomains<String>Read-writeEnable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.
Default value: NO
Possible values = YES, NO
preload<String>Read-writeFlag indicates the consent of the site owner to have their domain preloaded.
Default value: NO
Possible values = YES, NO
strictsigdigestcheck<String>Read-writeParameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.
Default value: DISABLED
Possible values = ENABLED, DISABLED
zerorttearlydata<String>Read-writeState of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake.
Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.
Default value: DISABLED
Possible values = ENABLED, DISABLED
tls13sessionticketsperauthcontext<Double>Read-writeNumber of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes.
This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection.
No tickets are sent if resumption is disabled.
Default value: 1
Minimum value = 1
Maximum value = 10
dhekeyexchangewithpsk<String>Read-writeWhether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake.
A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange.
If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client.
If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.
Default value: NO
Possible values = YES, NO
crlcheck<String>Read-onlyThe state of the CRL check parameter. (Mandatory/Optional).
Possible values = Mandatory, Optional
nonfipsciphers<String>Read-onlyThe state of usage of non FIPS approved ciphers.
Default value: DISABLED
Possible values = ENABLED, DISABLED
service<Double>Read-onlyService.
Minimum value = 0
Maximum value = 65534
ocspcheck<String>Read-onlyThe state of the OCSP check parameter. (Mandatory/Optional).
Possible values = Mandatory, Optional
ca<Boolean>Read-onlyCA certificate.
snicert<Boolean>Read-onlyThe name of the CertKey. Use this option to bind Certkey(s) which will be used in SNI processing.
skipcaname<Boolean>Read-onlyThe flag is used to indicate whether this particular CA certificate's CA_Name needs to be sent to the SSL client while requesting for client certificate in a SSL handshake.
dtlsflag<Boolean>Read-onlyThe flag is used to indicate whether DTLS is set or not.
__count<Double>Read-onlycount parameter

Operations

(click to see Properties)

UPDATE| UNSET| GET (ALL)| GET| COUNT

Some options that you can use for each operations:

  • Getting warnings in response:NITRO allows you to get warnings in an operation by specifying the "warning" query parameter as "yes". For example, to get warnings while connecting to the Citrix ADC appliance, the URL is as follows:

    http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code "209 X-NITRO-WARNING".

  • Authenticated access for individual NITRO operations:NITRO allows you to logon to the Citrix ADC appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER:<username>

    X-NITRO-PASS:<password>

    Note:In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Note:

Mandatory parameters are marked in redand placeholder content is marked in <green>.

update

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver

HTTP Method:PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslvserver":{
<b>"vservername":<String_value>,
</b>"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"dhkeyexpsizelimit":<String_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"pushenctrigger":<String_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"sslprofile":<String_value>,
"hsts":<String_value>,
"maxage":<Double_value>,
"includesubdomains":<String_value>,
"preload":<String_value>,
"strictsigdigestcheck":<String_value>,
"zerorttearlydata":<String_value>,
"tls13sessionticketsperauthcontext":<Double_value>,
"dhekeyexchangewithpsk":<String_value>
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

unset

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?action=unset

HTTP Method:POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"sslvserver":{
<b>"vservername":<String_value>,
</b>"cleartextport":true,
"dh":true,
"dhfile":true,
"dhcount":true,
"dhkeyexpsizelimit":true,
"ersa":true,
"ersacount":true,
"sessreuse":true,
"sesstimeout":true,
"cipherredirect":true,
"cipherurl":true,
"sslv2redirect":true,
"sslv2url":true,
"clientauth":true,
"clientcert":true,
"sslredirect":true,
"redirectportrewrite":true,
"ssl2":true,
"ssl3":true,
"tls1":true,
"tls11":true,
"tls12":true,
"tls13":true,
"snienable":true,
"ocspstapling":true,
"sendclosenotify":true,
"dtlsprofilename":true,
"sslprofile":true,
"hsts":true,
"maxage":true,
"includesubdomains":true,
"preload":true,
"strictsigdigestcheck":true,
"zerorttearlydata":true,
"tls13sessionticketsperauthcontext":true,
"dhekeyexchangewithpsk":true
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

get (all)

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver

Query-parameters:

attrs

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of sslvserver resources configured on Citrix ADC. Filtering can be done on any of the properties of the resource.

view

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?view=summary

Note:By default, the retrieved results are displayed in detail view (?view=detail).

pagination

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?pagesize=#no;pageno=#no

Use this query-parameter to get the sslvserver resources in chunks.

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslvserver": [ {
"vservername":<String_value>,
"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"dhkeyexpsizelimit":<String_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"crlcheck":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"service":<Double_value>,
"servicename":<String_value>,
"ocspcheck":<String_value>,
"pushenctrigger":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"skipcaname":<Boolean_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"dtlsflag":<Boolean_value>,
"sslprofile":<String_value>,
"hsts":<String_value>,
"maxage":<Double_value>,
"includesubdomains":<String_value>,
"preload":<String_value>,
"strictsigdigestcheck":<String_value>,
"zerorttearlydata":<String_value>,
"tls13sessionticketsperauthcontext":<Double_value>,
"dhekeyexchangewithpsk":<String_value>
}]}

get

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver/vservername_value<String>

Query-parameters:

attrs

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver/vservername_value<String>?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver/vservername_value<String>?view=summary

Note:By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslvserver": [ {
"vservername":<String_value>,
"cleartextport":<Integer_value>,
"dh":<String_value>,
"dhfile":<String_value>,
"dhcount":<Double_value>,
"dhkeyexpsizelimit":<String_value>,
"ersa":<String_value>,
"ersacount":<Double_value>,
"sessreuse":<String_value>,
"sesstimeout":<Double_value>,
"cipherredirect":<String_value>,
"crlcheck":<String_value>,
"cipherurl":<String_value>,
"sslv2redirect":<String_value>,
"sslv2url":<String_value>,
"clientauth":<String_value>,
"clientcert":<String_value>,
"sslredirect":<String_value>,
"redirectportrewrite":<String_value>,
"nonfipsciphers":<String_value>,
"ssl2":<String_value>,
"ssl3":<String_value>,
"tls1":<String_value>,
"tls11":<String_value>,
"tls12":<String_value>,
"tls13":<String_value>,
"snienable":<String_value>,
"ocspstapling":<String_value>,
"service":<Double_value>,
"servicename":<String_value>,
"ocspcheck":<String_value>,
"pushenctrigger":<String_value>,
"ca":<Boolean_value>,
"snicert":<Boolean_value>,
"skipcaname":<Boolean_value>,
"sendclosenotify":<String_value>,
"dtlsprofilename":<String_value>,
"dtlsflag":<Boolean_value>,
"sslprofile":<String_value>,
"hsts":<String_value>,
"maxage":<Double_value>,
"includesubdomains":<String_value>,
"preload":<String_value>,
"strictsigdigestcheck":<String_value>,
"zerorttearlydata":<String_value>,
"tls13sessionticketsperauthcontext":<Double_value>,
"dhekeyexchangewithpsk":<String_value>
}]}

count

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/sslvserver?count=yes

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "sslvserver": [ { "__count": "#no"} ] }