In 2016 Ryan Butler created a PowerShell script to update a NetScaler configuration to score an A+ at the SSL Labs SSL test. I updated this script to score an A+ in 2023.
Credits
This blog post would not be possible without the groundwork from Ryan Butler and Carl Stalhood. Ryan created the initial script and Carl provided me with a current SSL cipher list for Q2 2023.
Updates and tests
Last year, I had a few new Citrix NetScaler Gateway VPX setups, and needed a fast way to get the SSL settings right. Most of the time I used the script by Ryan, but in the meantime it was outdated. I grabbed the script and the provided SSL cipher list by Carl and got a working copy that immediately scored an A+ at SSL Labs. Sadly, I did not take my time to create a pull request over at Ryan’s GitHub to give back. Today I took my time, to tidy up the code, thanks to the Visual Studio Code PowerShell formatter and write up the changelog.
I tested the latest version of the script against a NetScaler 13.1 VPX (NS13.1 33.47.nc) without any issues. The instance was pre-configured with the previous version of the script. The previous script provided me a B at SSL Labs.
After I let the latest version of the script optimize the VPX appliance, we are back to an A+. Example:
.\set-nsssl.ps1 -nsip "192.168.0.5" -adminpassword "secret" -enablesslprof -nolb -nocsw -ciphergroupname "custom-ssllabs-cipher-2022" -sslprofile "custom-ssllabs-profile-2022" -nosave
The script
The latest version of the script that contains my Pull Request can be found over at Ryan’s GitHub.
Recent CUGC blogs: