Vi allego i comandi per creare un elenco di chipershuite compatibili con la PCIDSS 3.2 su NetScaler 11.1 e 12.0
add ssl cipher PCIDSS32 bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES-128-SHA256 -cipherPriority 10 bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 9 bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES128-GCM-SHA256 -cipherPriority 8 bind ssl cipher PCIDSS32 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 7 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 6 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 5 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 3 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 2 bind ssl cipher PCIDSS32 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 1
Ricordatevi di disabilitare SSL3 e TLS1
add ssl profile ns_pcidss32_ssl_profile_frontend -sessReuse DISABLED -tls1 DISABLED set ssl profile ns_pcidss32_ssl_profile_frontend -denySSLReneg NONSECURE bind ssl profile ns_pcidss32_ssl_profile_frontend -cipherName PCIDSS32 -cipherPriority 1 unbind ssl profile ns_pcidss32_ssl_profile_frontend -cipherName DEFAULT