Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#
- Written by David Ott
- I wrote this script to easily set cipher settings for netscaler ssl vservers in order to get an "A" rating from ssllabs
- This has been tested against netscaler 11.0 62.10 - I am not sure if it will work with any other version, so be careful.
- You will need the Nitro API SDK for C# - available to download from your netscaler
- search for ##### for important edits you will need to make for your environment, and/or information
- #>
- function end-script {
- exit
- }
- function get-cgn {
- Read-Host "Enter new Cipher group name"
- }
- $nsip = "1.1.1.1" ##### netscaler ip
- $user = "nsroot"
- $pass = "nsroot" ##### nsroot password
- <##### Edit $path1 and $path2 below if it doesn't match your environment #####>
- $path1 = "C:\ns_nitro-csharp_ion_62_10\lib\Newtonsoft.Json.dll"
- $path2 = "C:\ns_nitro-csharp_ion_62_10\lib\nitro.dll"
- <##### Script will end if it cannot find one or both of the dll files #####>
- if (!(test-path $path1) -or !(test-path $path2)) {write-host "Unable to find one of the needed .dll files" -f red ; break}
- $O = [System.Reflection.Assembly]::LoadFile($path1)
- $O = [System.Reflection.Assembly]::LoadFile($path2)
- <##### Connecting to your Netscaler #####>
- $nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,"http")
- $session = $nitrosession.login($user,$pass)
- <##### This bit asks if you want to create a Cipher Group - if not it will pop up a grid of all existing Cipher groups
- on your Netscaler to choose from. #####>
- $title = "Add Cipher Group"
- $message = "Do you want to create a Cipher Group?"
- $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
- "Creates a Cipher Group."
- $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
- "Uses an existing Cipher Group."
- $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
- $result = $host.ui.PromptForChoice($title, $message, $options, 0)
- switch ($result)
- {
- 0 {$yn = "0"}
- 1 {$yn = "1"}
- }
- if ($yn -eq "0") {
- <##### If you hit yes it will prompt you for the name of the new Cipher Group - if it exists it will warn you, and
- ask again #####>
- $cgn = get-cgn
- $ccgs = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname
- while ($ccgs -contains $cgn) {
- write-host "Cipher group $cgn already exists!" -f Red
- $cgn = get-cgn
- }
- $ncg = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher
- $ncg.ciphergroupname = $cgn
- <##### Tries to create the Cipher Group - if it fails the script will end #####>
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::add($nitrosession,$ncg) | Out-Null
- Write-Host "Cipher Group - $cgn created" -f Green
- } catch {
- Write-Host "Unable to create Cipher Group $cgn - ending script!" -f Red
- end-script
- }
- <##### Determines if your netsclaer is a VPX or not - will use different Ciphers depending #####>
- $hwd = ([com.citrix.netscaler.nitro.resource.config.ns.nshardware]::get($nitrosession)).hwdescription
- ##### Physical
- if ($hwd -notlike "*virtual*") {
- $suites = @("TLS1.2-ECDHE-RSA-AES256-GCM-SHA384"`
- ,"TLS1.2-ECDHE-RSA-AES128-GCM-SHA256"`
- ,"TLS1.2-ECDHE-RSA-AES-256-SHA384"`
- ,"TLS1.2-ECDHE-RSA-AES-128-SHA256"`
- ,"TLS1-ECDHE-RSA-AES256-SHA"`
- ,"TLS1-ECDHE-RSA-AES128-SHA"`
- ,"TLS1.2-DHE-RSA-AES256-GCM-SHA384"`
- ,"TLS1.2-DHE-RSA-AES128-GCM-SHA256"`
- ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
- ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
- ,"SSL3-DES-CBC3-SHA")
- } else {
- ##### Virtual
- $suites = @("TLS1.2-ECDHE-RSA-AES-128-SHA256"`
- ,"TLS1-ECDHE-RSA-AES256-SHA"`
- ,"TLS1-ECDHE-RSA-AES128-SHA"`
- ,"TLS1-DHE-RSA-AES-256-CBC-SHA"`
- ,"TLS1-DHE-RSA-AES-128-CBC-SHA"`
- ,"TLS1-AES-256-CBC-SHA"`
- ,"TLS1-AES-128-CBC-SHA"`
- ,"SSL3-DES-CBC3-SHA"
- )
- }
- $cipher = new-object com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding
- $cipher.ciphergroupname = $cgn
- <##### Tries to add the cipher suites above to the new Cipher Group - ends the script if it fails #####>
- foreach ($suite in $suites) {
- $cipher.ciphername = $suite
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslcipher_sslciphersuite_binding]::add($nitrosession,$cipher) | Out-Null
- Write-Host "$suite added to $cgn" -f Green
- } catch {
- Write-Host "Unable to add $suite to $cgn - ending script!" -f Red
- end-script
- }
- }
- Write-Host "`r`n"
- } else {
- <##### If you said no when it asked to create a Cipher Group this will open a grid view for you to select your existing
- Cipher Group #####>
- $cgn = ([com.citrix.netscaler.nitro.resource.config.ssl.sslcipher]::get($nitrosession)).ciphergroupname | Out-GridView -Title "Select Cipher Group" -OutputMode Single
- }
- ##### Script ends if there is no group created/selected
- if ($cgn -eq $null) {break}
- <##### Gets a list of all ssl vservers available in your netscaler and outputs it to a grid view. You can select one or many, and hit ok. #####>
- $sslvservers = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession)).vservername | Out-GridView -PassThru -Title "Select SSL vServers to assign the Cipher Group to"
- $ecc = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding
- $ciphergroup = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding
- $ciphergroup.ciphername = $cgn
- $sslv3 = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver
- $sslv3.ssl3 = "DISABLED"
- $sslv3.tls1 = "ENABLED" ##### Leave this as enabled - found issues with certain browsers
- $sslv3.tls11 = "ENABLED"
- $sslv3.tls12 = "ENABLED"
- <##### For each loop:
- 1. Sets ecc curves to all
- 2. Assigns the new (or selected) Cipher Group to the vserver
- 3. Removes any explicit ssl cipher suites assigned (for some reason when changing cipher groups remnant cipher suites are
- left behind)
- 4. Re-assigns the Cipher Group
- If anything fails the script will end #####>
- foreach ($sslvserver in $sslvservers) {
- if (([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::get($nitrosession,$sslvserver)).sslprofile -ne $null) {
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::unset($nitrosession,$sslvserver,"sslprofile") | Out-Null
- Write-Host "SSL Profile on $sslvserver removed" -f Green
- } catch {
- Write-Host "SSL Profile detected on $sslvserver, but unable to remove - end script!" -f Red
- end-script
- }
- }
- $ecc.ecccurvename = "ALL"
- $ecc.vservername = $sslvserver
- $sslv3.vservername = $sslvserver
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_ecccurve_binding]::add($nitrosession,$ecc) | Out-Null
- Write-Host "All ECC Curves assigned to $sslvserver" -f Green
- } catch {
- Write-Host "Failed to assign all ECC Curves to $sslvserver - ending script!" -f Red
- end-script
- }
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver]::update($nitrosession,$sslv3) | Out-Null
- Write-Host "SSLv3 Disabled on $sslvserver" -f Green
- } catch {
- Write-Host "Unable to Disable SSLv3 on $sslvserver" -f Red
- end-script
- }
- $ciphergroup.vservername = $sslvserver
- try {[com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
- Write-Host "$cgn bound to $sslvserver" -f Green
- } catch {
- Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
- end-script
- }
- Write-Host "Removing any individually assigned cipher suites, and re-binding $cgn to $sslvserver" -f Gray
- $fixes = ([com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::get($nitrosession,$sslvserver)).ciphername
- $remove = New-Object com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding
- $remove.vservername = $sslvserver
- foreach ($fix in $fixes) {
- $remove.ciphername = $fix
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslciphersuite_binding]::delete($nitrosession,$remove) | Out-Null
- Write-Host "$fix removed from $sslvserver" -f Green
- } catch {
- Write-Host "Unable to remove $fix from $sslvserver - ending script!" -f Red
- end-script
- }
- }
- try {
- [com.citrix.netscaler.nitro.resource.config.ssl.sslvserver_sslcipher_binding]::add($nitrosession,$ciphergroup) | Out-Null
- Write-Host "$cgn bound to $sslvserver" -f Green
- } catch {
- Write-Host "Unable to bind $cgn to $sslvserver - ending script!" -f Red
- end-script
- }
- Write-Host "`r`n"
- }
- <##### Asks if you would like to save the configuration #####>
- $title = "Save NS Config"
- $message = "Do you wish to save the Netscaler configuration?"
- $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
- "Creates a Cipher Group."
- $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
- "Uses an existing Cipher Group."
- $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
- $result = $host.ui.PromptForChoice($title, $message, $options, 0)
- switch ($result)
- {
- 0 {$yn = "0"}
- 1 {$yn = "1"}
- }
- if ($yn -eq "0") {
- Write-Host "Saving Netscaler configuration" -f Gray
- try {
- $nitrosession.save_config() | Out-Null
- Write-Host "Netscaler configuration saved" -f Green
- } catch {
- Write-Host "Unable to save Netscaler configuration - ending script!" -f Red
- end-script
- }
- }
- $nitrosession.logout() | Out-Null
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement