SHARE
TWEET

Instant "A"

david62277 Aug 31st, 2015 (edited) 189 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <#
  2. Written by David Ott
  3. I wrote this script to easily set cipher settings for netscaler ssl vservers in order to get an "A" rating from ssllabs
  4. This has been tested against netscaler 11.0 62.10 - I am not sure if it will work with any other version, so be careful.
  5. You will need the Nitro API SDK for C# - available to download from your netscaler
  6. search for ##### for important edits you will need to make for your environment, and/or information
  7. #>
  8.  
  9. function end-script {
  10. exit
  11. }
  12. function get-cgn {
  13. Read-Host "Enter new Cipher group name"
  14. }
  15. $nsip = "1.1.1.1" ##### netscaler ip
  16. $user = "nsroot"
  17. $pass = "nsroot" ##### nsroot password
  18.  
  19. <##### Edit $path1 and $path2 below if it doesn't match your environment #####>
  20. $path1 = "C:\ns_nitro-csharp_ion_62_10\lib\Newtonsoft.Json.dll"
  21. $path2 = "C:\ns_nitro-csharp_ion_62_10\lib\nitro.dll"
  22.  
  23. <##### Script will end if it cannot find one or both of the dll files #####>
  24. if (!(test-path $path1) -or !(test-path $path2)) {write-host "Unable to find one of the needed .dll files" -f red ; break}
  25. $O = [System.Reflection.Assembly]::LoadFile($path1)
  26. $O = [System.Reflection.Assembly]::LoadFile($path2)
  27.  
  28. <##### Connecting to your Netscaler #####>
  29. $nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,"http")
  30. $session = $nitrosession.login($user,$pass)
  31.  
  32. <##### This bit asks if you want to create a Cipher Group - if not it will pop up a grid of all existing Cipher groups
  33. on your Netscaler to choose from.  #####>
  34. $title = "Add Cipher Group"
  35. $message = "Do you want to create a Cipher Group?"
  36. $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
  37.     "Creates a Cipher Group."
  38. $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
  39.     "Uses an existing Cipher Group."
  40.  
  41. $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
  42.  
  43. $result = $host.ui.PromptForChoice($title, $message, $options, 0)
  44.  
  45. switch ($result)
  46.     {
  47.         0 {$yn = "0"}
  48.         1 {$yn = "1"}
  49.     }
  50.    
  51. if ($yn -eq "0") {
  52. <##### If you hit yes it will prompt you for the name of the new Cipher Group - if it exists it will warn you, and
  53. ask again #####>
  54. $cgn = get-cgn
  55. $ccgs = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname
  56. while ($ccgs -contains $cgn) {
  57. write-host "Cipher group $cgn already exists!" -f Red
  58. $cgn = get-cgn
  59. }
  60. $ncg = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher
  61. $ncg.ciphergroupname = $cgn
  62. <##### Tries to create the Cipher Group - if it fails the script will end #####>
  63. try {
  64. [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::add($nitrosession,$ncg) | Out-Null
  65. Write-Host "Cipher Group - $cgn created" -f Green
  66. } catch {
  67. Write-Host "Unable to create Cipher Group $cgn - ending script!" -f Red
  68. end-script
  69. }
  70. <##### Determines if your netsclaer is a VPX or not - will use different Ciphers depending #####>
  71. $hwd = ([com.citrix.netscaler.nitro.resource.config.ns.nshardware]::get($nitrosession)).hwdescription
  72.  
  73. ##### Physical
  74. if ($hwd -notlike "*virtual*") {
  75. $suites = @("TLS1.2-ECDHE-RSA-AES256-GCM-SHA384"`
  76. ,"TLS1.2-ECDHE-RSA-AES128-GCM-SHA256"`
  77. ,"TLS1.2-ECDHE-RSA-AES-256-SHA384"`
  78. ,"TLS1.2-ECDHE-RSA-AES-128-SHA256"`
  79. ,"TLS1-ECDHE-RSA-AES256-SHA"`
  80. ,"TLS1-ECDHE-RSA-AES128-SHA"`
  81. ,"TLS1.2-DHE-RSA-AES256-GCM-SHA384"`
  82. ,"TLS1.2-DHE-RSA-AES128-GCM-SHA256"`
  83. ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
  84. ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
  85. ,"SSL3-DES-CBC3-SHA")
  86. } else {
  87. ##### Virtual
  88. $suites = @("TLS1.2-ECDHE-RSA-AES-128-SHA256"`
  89. ,"TLS1-ECDHE-RSA-AES256-SHA"`
  90. ,"TLS1-ECDHE-RSA-AES128-SHA"`
  91. ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
  92. ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
  93. ,"TLS1-AES-256-CBC-SHA"`
  94. ,"TLS1-AES-128-CBC-SHA"`
  95. ,"SSL3-DES-CBC3-SHA"
  96. )
  97. }
  98. $cipher = new-object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding
  99. $cipher.ciphergroupname = $cgn
  100. <##### Tries to add the cipher suites above to the new Cipher Group - ends the script if it fails #####>
  101. foreach ($suite in $suites) {
  102. $cipher.ciphername = $suite
  103. try {
  104. [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding]::add($nitrosession,$cipher) | Out-Null
  105. Write-Host "$suite added to $cgn" -f Green
  106. } catch {
  107. Write-Host "Unable to add $suite to $cgn - ending script!" -f Red
  108. end-script
  109. }
  110. }
  111. Write-Host "`r`n"
  112. } else {
  113. <##### If you said no when it asked to create a Cipher Group this will open a grid view for you to select your existing
  114. Cipher Group #####>
  115. $cgn = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname | Out-GridView -Title "Select Cipher Group" -OutputMode Single
  116. }
  117.  
  118. ##### Script ends if there is no group created/selected
  119. if ($cgn -eq $null) {break}
  120.  
  121. <##### Gets a list of all ssl vservers available in your netscaler and outputs it to a grid view.  You can select one or many, and hit ok. #####>
  122. $sslvservers = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession)).vservername | Out-GridView -PassThru -Title "Select SSL vServers to assign the Cipher Group to"
  123. $ecc = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding
  124. $ciphergroup = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding
  125. $ciphergroup.ciphername = $cgn
  126. $sslv3 = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver
  127. $sslv3.ssl3 = "DISABLED"
  128. $sslv3.tls1 = "ENABLED" ##### Leave this as enabled - found issues with certain browsers
  129. $sslv3.tls11 = "ENABLED"
  130. $sslv3.tls12 = "ENABLED"
  131. <##### For each loop:
  132. 1. Sets ecc curves to all
  133. 2. Assigns the new (or selected) Cipher Group to the vserver
  134. 3. Removes any explicit ssl cipher suites assigned (for some reason when changing cipher groups remnant cipher suites are
  135. left behind)
  136. 4. Re-assigns the Cipher Group
  137. If anything fails the script will end #####>
  138. foreach ($sslvserver in $sslvservers) {
  139. if (([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession,$sslvserver)).sslprofile -ne $null) {
  140. try {
  141. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::unset($nitrosession,$sslvserver,"sslprofile") | Out-Null
  142. Write-Host "SSL Profile on $sslvserver removed" -f Green
  143. } catch {
  144. Write-Host "SSL Profile detected on $sslvserver, but unable to remove - end script!" -f Red
  145. end-script
  146. }
  147. }
  148. $ecc.ecccurvename = "ALL"
  149. $ecc.vservername = $sslvserver
  150. $sslv3.vservername = $sslvserver
  151.  
  152. try {
  153. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding]::add($nitrosession,$ecc) | Out-Null
  154. Write-Host "All ECC Curves assigned to $sslvserver" -f Green
  155. } catch {
  156. Write-Host "Failed to assign all ECC Curves to $sslvserver - ending script!" -f Red
  157. end-script
  158. }
  159. try {
  160. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::update($nitrosession,$sslv3) | Out-Null
  161. Write-Host "SSLv3 Disabled on $sslvserver" -f Green
  162. } catch {
  163. Write-Host "Unable to Disable SSLv3 on $sslvserver" -f Red
  164. end-script
  165. }
  166. $ciphergroup.vservername = $sslvserver
  167. try {[com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
  168. Write-Host "$cgn bound to $sslvserver" -f Green
  169. } catch {
  170. Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
  171. end-script
  172. }
  173. Write-Host "Removing any individually assigned cipher suites, and re-binding $cgn to $sslvserver" -f Gray
  174. $fixes = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::get($nitrosession,$sslvserver)).ciphername
  175. $remove = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding
  176. $remove.vservername = $sslvserver
  177. foreach ($fix in $fixes) {
  178. $remove.ciphername = $fix
  179. try {
  180. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::delete($nitrosession,$remove) | Out-Null
  181. Write-Host "$fix removed from $sslvserver" -f Green
  182. } catch {
  183. Write-Host "Unable to remove $fix from $sslvserver - ending script!" -f Red
  184. end-script
  185. }
  186. }
  187. try {
  188. [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
  189. Write-Host "$cgn bound to $sslvserver" -f Green
  190. } catch {
  191. Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
  192. end-script
  193. }
  194. Write-Host "`r`n"
  195. }
  196.  
  197. <##### Asks if you would like to save the configuration #####>
  198. $title = "Save NS Config"
  199. $message = "Do you wish to save the Netscaler configuration?"
  200. $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
  201.     "Creates a Cipher Group."
  202. $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
  203.     "Uses an existing Cipher Group."
  204.  
  205. $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
  206.  
  207. $result = $host.ui.PromptForChoice($title, $message, $options, 0)
  208.  
  209. switch ($result)
  210.     {
  211.         0 {$yn = "0"}
  212.         1 {$yn = "1"}
  213.     }
  214. if ($yn -eq "0") {
  215. Write-Host "Saving Netscaler configuration" -f Gray
  216. try {
  217. $nitrosession.save_config() | Out-Null
  218. Write-Host "Netscaler configuration saved" -f Green
  219. } catch {
  220. Write-Host "Unable to save Netscaler configuration - ending script!" -f Red
  221. end-script
  222. }
  223. }
  224. $nitrosession.logout() | Out-Null
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top