Instant "A"

1. <#
2. Written by David Ott
3. I wrote this script to easily set cipher settings for netscaler ssl vservers in order to get an "A" rating from ssllabs
4. This has been tested against netscaler 11.0 62.10 - I am not sure if it will work with any other version, so be careful.
5. You will need the Nitro API SDK for C# - available to download from your netscaler
6. search for ##### for important edits you will need to make for your environment, and/or information
7. #>
8.  
9. function end-script {
10. exit
11. }
12. function get-cgn {
13. Read-Host "Enter new Cipher group name"
14. }
15. $nsip = "1.1.1.1" ##### netscaler ip
16. $user = "nsroot"
17. $pass = "nsroot" ##### nsroot password
18.  
19. <##### Edit $path1 and $path2 below if it doesn't match your environment #####>
20. $path1 = "C:\ns_nitro-csharp_ion_62_10\lib\Newtonsoft.Json.dll"
21. $path2 = "C:\ns_nitro-csharp_ion_62_10\lib\nitro.dll"
22.  
23. <##### Script will end if it cannot find one or both of the dll files #####>
24. if (!(test-path $path1) -or !(test-path $path2)) {write-host "Unable to find one of the needed .dll files" -f red ; break}
25. $O = [System.Reflection.Assembly]::LoadFile($path1)
26. $O = [System.Reflection.Assembly]::LoadFile($path2)
27.  
28. <##### Connecting to your Netscaler #####>
29. $nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,"http")
30. $session = $nitrosession.login($user,$pass)
31.  
32. <##### This bit asks if you want to create a Cipher Group - if not it will pop up a grid of all existing Cipher groups
33. on your Netscaler to choose from.  #####>
34. $title = "Add Cipher Group"
35. $message = "Do you want to create a Cipher Group?"
36. $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
37.     "Creates a Cipher Group."
38. $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
39.     "Uses an existing Cipher Group."
40.  
41. $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
42.  
43. $result = $host.ui.PromptForChoice($title, $message, $options, 0)
44.  
45. switch ($result)
46.     {
47.         0 {$yn = "0"}
48.         1 {$yn = "1"}
49.     }
50.    
51. if ($yn -eq "0") {
52. <##### If you hit yes it will prompt you for the name of the new Cipher Group - if it exists it will warn you, and
53. ask again #####>
54. $cgn = get-cgn
55. $ccgs = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname
56. while ($ccgs -contains $cgn) {
57. write-host "Cipher group $cgn already exists!" -f Red
58. $cgn = get-cgn
59. }
60. $ncg = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher
61. $ncg.ciphergroupname = $cgn
62. <##### Tries to create the Cipher Group - if it fails the script will end #####>
63. try {
64. [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::add($nitrosession,$ncg) | Out-Null
65. Write-Host "Cipher Group - $cgn created" -f Green
66. } catch {
67. Write-Host "Unable to create Cipher Group $cgn - ending script!" -f Red
68. end-script
69. }
70. <##### Determines if your netsclaer is a VPX or not - will use different Ciphers depending #####>
71. $hwd = ([com.citrix.netscaler.nitro.resource.config.ns.nshardware]::get($nitrosession)).hwdescription
72.  
73. ##### Physical
74. if ($hwd -notlike "*virtual*") {
75. $suites = @("TLS1.2-ECDHE-RSA-AES256-GCM-SHA384"`
76. ,"TLS1.2-ECDHE-RSA-AES128-GCM-SHA256"`
77. ,"TLS1.2-ECDHE-RSA-AES-256-SHA384"`
78. ,"TLS1.2-ECDHE-RSA-AES-128-SHA256"`
79. ,"TLS1-ECDHE-RSA-AES256-SHA"`
80. ,"TLS1-ECDHE-RSA-AES128-SHA"`
81. ,"TLS1.2-DHE-RSA-AES256-GCM-SHA384"`
82. ,"TLS1.2-DHE-RSA-AES128-GCM-SHA256"`
83. ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
84. ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
85. ,"SSL3-DES-CBC3-SHA")
86. } else {
87. ##### Virtual
88. $suites = @("TLS1.2-ECDHE-RSA-AES-128-SHA256"`
89. ,"TLS1-ECDHE-RSA-AES256-SHA"`
90. ,"TLS1-ECDHE-RSA-AES128-SHA"`
91. ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
92. ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
93. ,"TLS1-AES-256-CBC-SHA"`
94. ,"TLS1-AES-128-CBC-SHA"`
95. ,"SSL3-DES-CBC3-SHA"
96. )
97. }
98. $cipher = new-object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding
99. $cipher.ciphergroupname = $cgn
100. <##### Tries to add the cipher suites above to the new Cipher Group - ends the script if it fails #####>
101. foreach ($suite in $suites) {
102. $cipher.ciphername = $suite
103. try {
104. [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding]::add($nitrosession,$cipher) | Out-Null
105. Write-Host "$suite added to $cgn" -f Green
106. } catch {
107. Write-Host "Unable to add $suite to $cgn - ending script!" -f Red
108. end-script
109. }
110. }
111. Write-Host "`r`n"
112. } else {
113. <##### If you said no when it asked to create a Cipher Group this will open a grid view for you to select your existing
114. Cipher Group #####>
115. $cgn = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname | Out-GridView -Title "Select Cipher Group" -OutputMode Single
116. }
117.  
118. ##### Script ends if there is no group created/selected
119. if ($cgn -eq $null) {break}
120.  
121. <##### Gets a list of all ssl vservers available in your netscaler and outputs it to a grid view.  You can select one or many, and hit ok. #####>
122. $sslvservers = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession)).vservername | Out-GridView -PassThru -Title "Select SSL vServers to assign the Cipher Group to"
123. $ecc = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding
124. $ciphergroup = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding
125. $ciphergroup.ciphername = $cgn
126. $sslv3 = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver
127. $sslv3.ssl3 = "DISABLED"
128. $sslv3.tls1 = "ENABLED" ##### Leave this as enabled - found issues with certain browsers
129. $sslv3.tls11 = "ENABLED"
130. $sslv3.tls12 = "ENABLED"
131. <##### For each loop:
132. 1. Sets ecc curves to all
133. 2. Assigns the new (or selected) Cipher Group to the vserver
134. 3. Removes any explicit ssl cipher suites assigned (for some reason when changing cipher groups remnant cipher suites are
135. left behind)
136. 4. Re-assigns the Cipher Group
137. If anything fails the script will end #####>
138. foreach ($sslvserver in $sslvservers) {
139. if (([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession,$sslvserver)).sslprofile -ne $null) {
140. try {
141. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::unset($nitrosession,$sslvserver,"sslprofile") | Out-Null
142. Write-Host "SSL Profile on $sslvserver removed" -f Green
143. } catch {
144. Write-Host "SSL Profile detected on $sslvserver, but unable to remove - end script!" -f Red
145. end-script
146. }
147. }
148. $ecc.ecccurvename = "ALL"
149. $ecc.vservername = $sslvserver
150. $sslv3.vservername = $sslvserver
151.  
152. try {
153. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding]::add($nitrosession,$ecc) | Out-Null
154. Write-Host "All ECC Curves assigned to $sslvserver" -f Green
155. } catch {
156. Write-Host "Failed to assign all ECC Curves to $sslvserver - ending script!" -f Red
157. end-script
158. }
159. try {
160. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::update($nitrosession,$sslv3) | Out-Null
161. Write-Host "SSLv3 Disabled on $sslvserver" -f Green
162. } catch {
163. Write-Host "Unable to Disable SSLv3 on $sslvserver" -f Red
164. end-script
165. }
166. $ciphergroup.vservername = $sslvserver
167. try {[com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
168. Write-Host "$cgn bound to $sslvserver" -f Green
169. } catch {
170. Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
171. end-script
172. }
173. Write-Host "Removing any individually assigned cipher suites, and re-binding $cgn to $sslvserver" -f Gray
174. $fixes = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::get($nitrosession,$sslvserver)).ciphername
175. $remove = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding
176. $remove.vservername = $sslvserver
177. foreach ($fix in $fixes) {
178. $remove.ciphername = $fix
179. try {
180. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::delete($nitrosession,$remove) | Out-Null
181. Write-Host "$fix removed from $sslvserver" -f Green
182. } catch {
183. Write-Host "Unable to remove $fix from $sslvserver - ending script!" -f Red
184. end-script
185. }
186. }
187. try {
188. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
189. Write-Host "$cgn bound to $sslvserver" -f Green
190. } catch {
191. Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
192. end-script
193. }
194. Write-Host "`r`n"
195. }
196.  
197. <##### Asks if you would like to save the configuration #####>
198. $title = "Save NS Config"
199. $message = "Do you wish to save the Netscaler configuration?"
200. $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
201.     "Creates a Cipher Group."
202. $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
203.     "Uses an existing Cipher Group."
204.  
205. $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
206.  
207. $result = $host.ui.PromptForChoice($title, $message, $options, 0)
208.  
209. switch ($result)
210.     {
211.         0 {$yn = "0"}
212.         1 {$yn = "1"}
213.     }
214. if ($yn -eq "0") {
215. Write-Host "Saving Netscaler configuration" -f Gray
216. try {
217. $nitrosession.save_config() | Out-Null
218. Write-Host "Netscaler configuration saved" -f Green
219. } catch {
220. Write-Host "Unable to save Netscaler configuration - ending script!" -f Red
221. end-script
222. }
223. }
224. $nitrosession.logout() | Out-Null