Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST] - order of "ecccurvebindings" #1058

Open
adc-nerd opened this issue Jul 3, 2023 · 6 comments
Open

[FEATURE REQUEST] - order of "ecccurvebindings" #1058

adc-nerd opened this issue Jul 3, 2023 · 6 comments
Labels
enhancement

Comments

@adc-nerd
Copy link

adc-nerd commented Jul 3, 2023

Feature Request

Is your feature request related to a problem? Please describe.
ECC curve binding order should be honored.
There is a difference between:
resource "citrixadc_sslprofile" "my_sslprofile" { ecccurvebindings = ["P_256", "P_384", "P_521"] ... }
and
resource "citrixadc_sslprofile" "my_sslprofile" { ecccurvebindings = ["P_521", "P_384", "P_256"] ... }

Describe the solution you'd like
Ecc curve binding order should be observed.
Provider need to unbind/bind ecc curves to accomblish binding order.

Additional context
ECC curve order is security and performance related.
@rohit-myali
Copy link
Contributor

Hey @adc-nerd
I just wanted to confirm this, I had a conversation with the internal team here, but I found that the order doesn't make any difference in the ecccurve binding to the sslprofile.
Please check this again and update me on this.

@adc-nerd
Copy link
Author

The curve binding order is security and performance related. It's like cipher order.

https://support.citrix.com/article/CTX205289/
"To change the order, you must first unbind all the curves, and then bind them in the desired order."

@rohit-myali
Copy link
Contributor

Hello @adc-nerd
Thanks for confirming this.

We recommend you to use sslservice_ecccurve_binding resource, to bind ecccurve to sslservice. As we do not support any further, the binding within the internal individual resource.

@adc-nerd
Copy link
Author

Thanks for the info but we use "citrixadc_sslparameter" with "defaultprofile" enabled.

Is it already fixed for "citrixadc_sslprofile"? Because documentation states "The default ecccurvebindings will be DELETED and only the explicitly given ecccurvebindings will be retained".

https://registry.terraform.io/providers/citrix/citrixadc/latest/docs/resources/sslprofile

Is "X_25519" also supported?

@rohit-myali
Copy link
Contributor

Hello @adc-nerd

So, In the documentation of citrixadc_sslprofile it was previously designed. But as of now, we recommend you to please use sslservice_ecccurve_binding resource, to bind ecccurve to sslservice. As we do not support any further, the binding within the internal individual resource.

I did check with the internal team regrading the support for X_25519 and it is supported for the NetScaler ADC version 14.1 25.x and above.

@adc-nerd
Copy link
Author

adc-nerd commented Jul 9, 2024

This is a request for ecc binding order in ssl-profiles. It's no longer recommended to use ssl settings per service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rohit-myali @adc-nerd