Citrix is excited to announce the release of TLS 1.3 hardware acceleration support for select Citrix ADC MPX and SDX platforms. With this new hardware acceleration enhancement, customers can now offload their large TLS workloads that our high-performance acceleration hardware is capable of processing.

The internet today is underpinned by protocols such as TLS that make it possible to communicate quickly and securely. The TLS 1.3 protocol is a complete redesign of tTLS  with increased security and speed, and we recommend that customers move to this protocol.

Citrix was one of the first ADC vendors to include support for TLS 1.3 in its software and firmware in 2018. Since then, we have seen a sharp increase in the adoption of this protocol by our customers across all platform types.

Benefits of the TLS 1.3 Protocol

TLS 1.3 has many benefits over TLS 1.2, including security enhancements. TLS1.3 enables perfect forward secrecy by default, which means that even if your private key is compromised, previously recorded traffic cannot be decrypted. TLS 1.3 additionally also prunes legacy ciphers that are not considered secure and allows for easier and more secure configurations. It prevents known exploits like DROWN, POODLE, SLOTH, and more, which makes for a more secure and robust protocol.

Another important improvement over TLS 1.2 is reduced latency. TLS1.3 only requires one roundtrip to set up a connection, removing an entire round trip during the handshake process. This potentially saves hundreds of milliseconds when a session is created, leading to a much faster experience.

Additionally, for sessions that are resumed from a previous connection between the client and server, TLS 1.3 enables faster connection times with 0-RTT. The protocol allows for the first application request to be sent before the TLS handshake is complete. Enabling the 0-RTT resumption feature can leave application servers vulnerable to replay attacks. However, Citrix has built global replay detection across all our Citrix ADC appliances in the strongest mechanism of replay protection available.

TLS 1.3 with Citrix ADC Hardware Acceleration

All TLS encryption schemes require CPU processing time, which adds latency to requests and responses on the network. This increase in CPU usage (and latency) can significantly affect application performance. Our Citrix ADC hardware platforms allow the majority of TLS 1.3 handshake operations to be offloaded to the SSL acceleration chip, saving CPU cycles for other tasks and features.

During our extensive optimization and design of our TLS 1.3 hardware acceleration support, our performance testing showed an equivalent number of SSL handshakes per second and SSL throughput when compared to TLS 1.2 data. For further details on the performance numbers, please contact your Citrix sales representative.

The supported Citrix ADC MPX/SDX platforms for hardware acceleration are:

  • 5900
  • 8900
  • 15000
  • 15000-50G
  • 26000
  • 26000-50S
  • 26000-100G

To learn more, check out the release notes for TLS 1.3 support on Citrix ADC 13.0-71.x.