- Troubleshooting NetScaler
- Raghu Varma Tirumalaraju
- 2919字
- 2021-07-16 11:06:47
SSL
We will now look at issues that can arise when load balancing SSL applications via the NetScaler. Let's start by looking at some considerations when deploying SSL, before discussing certificates and some essential Wireshark knowledge that you need in the SSL area. We will then apply this knowledge to troubleshoot some common issues before wrapping up the section with a discussion of SSL security best practices.
SSL deployment considerations
SSL is now ubiquitous. In fact, most public facing deployments simply cannot go into production without it. Using NetScaler to take the SSL processing load off the servers is referred to as SSL offloading. SSL offloading is great for performance because a NetScaler with its specialized SSL cards is optimized for handling SSL transactions, while your application servers typically are not.
Note
While the generic name SSL has stuck, SSL is no longer the choice for security and nor is TLS 1.0. The severity of the POODLE attack that impacts both protocols means that security standards mandate using TLS1.1, or better, even TLS1.2 now. All major browsers support these two versions. For the purpose of the chapter, we will use SSL since that is the name used in the field.
There are secondly those deployments (for example, in banks) where that encryption doesn't end at the NetScaler. The decryption happens at NetScaler, necessary policies applied, and traffic is then re-encrypted on its way to the server. This is called End-to-End encryption. Here, you still chose SSL as the protocol, but your backend servers are also added as SSL services instead of HTTP or whatever the application layer protocol is. While this deployment does lose some of the advantages of a proper SSL offload, the NetScaler value add of being able to apply HTTP processing, such as doing rewrites or being apply to inspect requests to weed out attacks remains.
A third kind of SSL deployment is where NetScaler doesn't understand the protocols natively but can still encrypt them, thus still providing SSL offload at the TCP level. Secure SMTP is a common example. For such deployments, SSL_TCP is the VIP of choice. Since you are terminating SSL and NetScaler can look into the SSL stream, a majority of the protection benefits are still available with SSL_TCP. However, connection multiplexing is lost.
Finally, there is SSL bridging where NetScaler plays no role in the SSL termination, it is entirely between the client and the server. All the NetScaler does in this case is connection-based load balancing between the different SSL enabled servers. One use case for SSL bridging is wanting client certificates to be sent all the way to the server in their original form. You do not even bind a certificate on the NetScaler for this deployment.
SSL bridging can also be used as a troubleshooting step, that is, if SSL offloading is not working, check whether bridging works. That will tell you that the focus needs to move to NetScaler's handling of SSL.
SSL certificates exist in several formats. The most common formats that you encounter when working with NetScaler are PEM and PFX. The NetScaler supports binding PEM certificates to virtual servers, and it is a common format among open source systems, but you will also often stumble on PFX, especially when moving from IIS. In the most recent version, version 11.0, you can directly import PFX certificates without having to convert them, but it is nevertheless handy to know how to convert them using OpenSSL (included on the NetScaler) if you have used an use an earlier version:
Converting PFX server certificate to PEM using OpenSSL
You can also examine PEM certificates on the NetScaler without having to export them to your PC first. Let's quickly discuss the various sections of a certificate, as this becomes important when troubleshooting:
PEM certificate with encrypted private key
In the screenshot, we see an encrypted private key followed by the certificate. The Proc-Type tells us the key is encrypted, and the DEK-Info tells us the encryption method used. The actual key then follows, demarcated by a BEGIN and END.
Note that, with the PEM format, the certificate and key can exist in the same file, but they don't necessarily have to. Also, the password protection that results in the encrypted form is optional. By contrast, in PFX, they always are in the same file and the file is always protected by a password.
You can run the same conversion with the –nodes option, in which case you will get a PEM file that doesn't have the encryption:
Using Wireshark to examine the handshake
For the next few minutes, let's take a look at a sample trace and see how a full handshake unfolds.
The following are the steps for SSL handshake:
- The first packet that an SSL client sends after the TCP handshake is a
Client Hello. This will tell you what SSL version the client is using, and whether they are reusing an SSL session (more on session reuse to follow) and what Ciphers it supports. The list of Ciphers is in the order that the client prefers:
- The first SSL packet from a server, as you've guessed, is the
Server Hello. In this packet, the server indicates its version of TLS and next, see that it has chosenTLS_RSA_WITH_RC4_128_MD5, which is in the list that the client has provided in itsClient Hello:
- The Server Certificate exchange, along with details of CN, issuer, and validity is sent by the server. It is important that the trace captures this certificate exchange if it is to be decryptable:
- In Client Certificate (Optional) the step that leads the client to provide its certificate is the presence of a certificate request in the previous step (Server Certificate Exchange):
- In this step of Client Key Exchange, the Encrypted PreMaster key gets exchanged. How this key gets generated depends on the OS, but in general it uses a random number generator, taking some local characteristics into account:
The security of this PreMaster secret is paramount, which is why it gets encrypted with the server's public key so that only the server (which has the private key) can decrypt it.
- Handshake finish step is the point at which the handshake ends. The finished messages indicate that the client and server are happy to move to encrypted (symmetric) data exchange. Now that we have some of the considerations out the way, let's look at how we approach SSL issues.
Now, let's look at the version of the handshake that happens when the SSL session reuse is happening. Here, you see that the client already comes with a session ID from a previous session, and in the rather short SSL handshake that happens, the server certificate is not exchanged and no validation is done, and some computationally expensive steps are avoided by doing so:
Session reuse is a great SSL performance technique. This is why it is enabled by default.
Session reuse and troubleshooting
As huge a benefit as session reuse is, it poses a problem when wanting to decrypt a trace. With the truncated handshake and the missing certificate, decryption will fail.
The recommendation around this is to disable SSL session reuse for the brief period that you are running the trace, and enable it again once the tracing is complete. If you forget to enable it, you will definitely see higher SSL card use or a higher CPU, based on your NetScaler platform, hence re-enabling it is important. The setting is managed from the SSL parameters tab for each VIP individually:
A second option is to completely close and restart the application.
Now that we looked at how the handshake works, let's take a look at how one goes about decrypting a trace in Wireshark.
While troubleshooting SSL/TLS issues, you will find yourself often needing to look beyond the handshake and at the HTTP, or at other layer 7 level information. You can again use Wireshark for this purpose. To decrypt the trace:
- Obtain the private key corresponding to the SSL VIP.
- Click on Edit | Preferences | Protocols | SSL.
- Click on the RSA keys list and create an entry; the following figure shows an example:
- Click on OK all the way to the main window and you should now be able to see decrypted packets.
There is also a password field that needs to be filled in if the key is password protected. As an alternative, you can also use OpenSSL to decrypt the key even before getting to this step. The command is:
openssl rsa -in <encrypted key> -out < decrypted output filename>
The quickest way to tell if the decryption worked is by using the filter ssl && http, as you can see the decrypted HTTP is in green in the following screenshot:
Note that apart from an incomplete handshake being captured (due to a reused SSL session), a second case where Wireshark will fail to decrypt the trace is when protocols such as Diffie Hellman are used in the key exchange. In such cases, instead of the server's public and private keys, randomly generated keys are used that Wireshark doesn't have visibility into and thus the decryption fails.
If you are having trouble with decryption, look for clues in the SSL Debug file that you can choose under Edit | Preferences | SSL:
You will, on occasion, need to share the key with Citrix support for troubleshooting issues involving SSL. Citrix has strict measures in place around how this information is handled to avoid risk. However, sharing the key might not bode well with your security policy; luckily, it's easy to resolve this situation without adding to the risk by decrypting and exporting the session keys to share with Citrix.
With these session keys, Citrix (or any third-party you share the session keys with) can only decrypt a specific conversation. To do this using Wireshark first decrypt the trace as we've discussed. Then, navigate to File | Export SSL Session Keys.
The result will be a text file with the RSA Session ID and the Master Key that you can share with anyone that needs to be able to decrypt the session. The way this file will be used for decryption is by going to the SSL Protocol Preferences section of Wireshark and specifying it as the (Pre)-Master-Secret log filename.
Note
Note that when capturing the trace, it is important that you use the size 0 (unlimited size) option, as we discuss in Chapter 9, Troubleshooting Tools. If not, the trace will be truncated, which means the certificate is not fully captured and the trace will not be decryptable.
Now with the key concepts out of the way, let's look at some ways to approach troubleshooting SSL issues.
Troubleshooting SSL issues
If you have the possibility, create an equivalent HTTP VIP first for testing. If that works fine, we'll need to start looking at the SSL handshake using Wireshark.
Having verified that the HTTP version of the VIP works correctly, let's look at some potential failure areas:
- Trust issues from unknown CA: In the following example, we see that the handshake is failing because the NetScaler doesn't trust the certificate that is being presented by the client:
At this point, you will need to open the client certificate in the trace and see what CA (Certificate Authority) signed it. Once you note down the CA, check the SSL VIP configuration and see whether the CA has been specified in the list:
Another way to catch this problem is by looking at SSL error counters. To do this, drop into shell and use the
nsconmsg –g ssl_err –d currentcommand:
- Trust issues from missing intermediate CA certificates: Issues can also arise in the form of a missing certificate link. So if you are getting the certificate from an intermediate CA (which is very often the case), make sure you've linked these properly. You can do this from the Certificates section of the SSL tab once you have installed the intermediate CA certificate by selecting the server certificate and choosing Link:
Rather handily, NetScaler then looks at who signed this certificate (that is, the CA
int.xmx.lab, in our case here) and presents its certificate for linking:
If there are multiple intermediate CAs, you will need to repeat this for all, working your way to the top of the chain, that is, the root CA. The result of this exercise is that when NetScaler presents the server certificate bound to the VIP, it also includes all intermediate CA certificates so that the client who might only know the root certificate will accept the server certificate by looking at the entire chain.
- Client doesn't present a certificate with Client Cert Auth configured: If the client doesn't present a certificate, while the NetScaler is expecting one due to client cert authentication configured, you will see the counter
ssl_err_clientAuth_nocertincrement.
For the certificate to be presented correctly, the client browser needs, of course, to be set up with one, but as a troubleshooting step, also verify by looking for a certificate request (
ssl.handshake.type == 13) from the NetScaler SSL VIP. The following is what it should look like:
- Protocol mismatches: If the client and NetScaler cannot agree on the version of TLS to use, you will see a protocol version alert.
The counter
nsconmsg –g ssl_errhighlights this incompatibility.
SSL and TLS versions used can be managed from the SSL parameter tab of each SSL vServer.
- Cipher Mismatches: If the protocols match but the server and client don't manage to find a common cipher, this will result in a handshake failure message in the trace.
And here's the counter that goes when using
nsconmsg –g ssl_err –d current:
Card failures are fortunately very rare. But in case one happens, you will see a number of telltale signs. A card failure will:
- Result in an HA failover
- Show up in show node and
stat ssloutputs - Show you the counter
ssl_err_card_process_fail_rstevery time the device resets a connection it can't process due to the card being down - Result in this reset having the window code 9820
SSL is such a vital component for customers, especially those bound by compliance laws that, keeping on top of the issues, is a constant effort and requires regular handling, what with new vulnerabilities being reported on a regular basis. Consider the following best practices to ensure you are well protected:
- Removing SSL and TLS 1.0 and moving to TLS 1.2 is a good option. Given the suite of SSLv3 vulnerabilities (for example, Poodle Attack) the goal should be to move to TLS, preferably TLS 1.2. NetScaler now supports TLS Versions 1.1 and 1.2, both on the frontend and the backend (backend support is currently only for MPX or SDX instances with an SSL card assigned at this point, not regular VPX).
Note that sometimes, scanners report vulnerabilities purely based on the OpenSSL version used on NetScaler. It should be noted that OpenSSL while present on NetScaler, isn't actually used for SSL processing. For processing, Custom software is used. Also, the OpenSSL present on NetScaler is a locked down version, meaning code that is unnecessary or vulnerable is dropped.
- Avoid all RC4 Ciphers such as SSL3-RC4-MD5. There is now even an RFC (rfc7465) advocating against it. And avoid export Ciphers such as EXP-RC4-MD5. They are considered too weak and form the basis for attacks such as FREAK. Note that these ciphers have been removed from the default Cipher list for this very reason.
- Use the latest version of NetScaler, as security issues are taken pretty seriously and are among the first in line for the next build.
- Deny SSL renegotiation unless your application specifically needs it. You can do this using the following command:
Set ssl parameter –denySSLReneg ALLYou can also set this from the GUI under the advanced SSL parameters section of SSL, either setting to ALL or to a specific leg of the conversation:
Tip
Consider reading a couple of excellent blogs, written in this area by one of our consultants, that are a lot more comprehensive and explain how to get an A+ at https://www.ssllabs.com/ by following SSL security best practices. The short links are https://goo.gl/WREk7y and https://goo.gl/00PH2C.
Engaging with Citrix
SSL vulnerabilities that are reported in the wild will likely have a CVE (Common Vulnerabilities and Exposures) ID associated with them. Try and identify the CVE of a vulnerability. The https://cve.mitre.org/ website is a great place to find these.
If you have stumbled into a vulnerability on your own through your own testing, there are a couple of ways you can proceed:
- If you are using a scanner that reports a known vulnerability, first try with the latest version.
- If you see the same results with the latest build, note down the CVE and engage with
secure@citrix.com. The http://support.citrix.com/article/ctx140863 site contains more details around reporting vulnerabilities to Citrix.
- Designing Machine Learning Systems with Python
- Getting Started with ResearchKit
- oreilly精品圖書:軟件開發者路線圖叢書(共8冊)
- 數據結構簡明教程(第2版)微課版
- 機器人Python青少年編程開發實例
- Groovy for Domain:specific Languages(Second Edition)
- Full-Stack Vue.js 2 and Laravel 5
- JSP開發案例教程
- Python編程實戰
- Python語言實用教程
- Regression Analysis with Python
- Mastering Python Design Patterns
- Exploring SE for Android
- Clojure High Performance Programming(Second Edition)
- Python 3快速入門與實戰