We migrated a bunch of our sites (changed static IP addresses) from an NGINX proxy to a Citrix NetScaler VPX instance. We tested our sites using every browser available, and they all appeared to be working properly. I changed my hosts file and navigated to each site to check if any browser would throw an exemption, and they didn't. However, after the migration we tested the SSL certs with Wormly's tool (see links below) and the sites failed in two different categories:
1) Trust
2) Renegotiation
After seeing this, we quickly migrated our sites back to our NGINX proxy for fear of a MIM exploit.
If anyone can give me some ideas as to what to check for or some steps that I can take to resolve this, I would appreciate it.
PS, please do not ask what the site names are, not only are they no longer on our netscaler, but posting compromising info about an eCommerce site seems like a really bad idea.
Best Answer
First, make sure you have your SSL certs linked correctly in the Netscaler config. You have to add the cert, add the intermediate cert, and then link the two together.
http://support.citrix.com/article/CTX128539
Second, for the renegotiation piece, it is configurable, see here:
http://support.citrix.com/article/CTX123680
Citrix have published articles on the various SSL tests and how they apply to them also. The short version is that thousands of sites are using SSL successfully on Netscaler, configured correctly it works and will pass the various tests :)