Jump to content
Welcome to our new Citrix community!
  • 0

unable to connect - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error


Pablo Rubinstein

Question

I'm trying to setup Citrix Receiver to connect to a remote server that I don't control. Say it is called citrix.some.org (not the real name, btw). I downloaded the Windows version of Citrix Receiver and I can connect to it without any issues. I'm trying to do the same by using the linux version and I'm unable to.

So far I've been able to turn on the logging and pinpoint the error to this section:

 

Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   CDSAuthHttpTransaction::SendAndReceive()
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   {
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   CTokenCaches::GetLikelySecondaryTokenByServiceUrl url= 'https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   {
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   CUrlToProtScopeMap::GetLikelyProtScopeByServiceUrl url='https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   {
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   .   CUrlToProtScopeMap::FindBestEntryForUrl url='https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   .   {
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   .   .   .   No entry found
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   }
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   CClientCertificateAuthenticatingTransaction::SendAndReceive
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   {
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   CAMSSLContextTracker::GetContextFor 'https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   {
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   .   .   Context not found
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   .   }
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   CHttpTransactionBase::SendAndReceive
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   {
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   .   virtual void AM::Networking::CLinuxHttpTransaction::CheckedSendAndReceive()
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   .   .   .   {
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   .   .   .   m_easyResult: 35; error string from curl: 'error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error'
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   .   .   .   CheckedSendAndReceive client cert none
Tue 25 Dec 2018 19:12:47 <<<<< T:B54F5700        .   .   .   .   .   .   .   Throwable created: CHttpException: CheckedSendAndReceive(); server URL: 'https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47 <<<<< T:B54F5700        .   .   .   .   .   .   .   Throwable created: CLinuxHttpException: CheckedSendAndReceive(); m_Reason=1 m_Curlcode=35; url: 'https://citrix.some.org/discovery'
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   .   }
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   .   CHttpExceptionContextTransaction::SendAndReceive marking HTTP error for direct client reporting
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   }
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   ConvertExceptionToAmResultOrRethrow
Tue 25 Dec 2018 19:12:47     > T:B54F5700        .   .   .   {
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   Converting HTTP exception from client request
Tue 25 Dec 2018 19:12:47 *ERR* T:B54F5700        .   .   .   .   Caught CHttpException with reason 'HttpFailureReason_O
ther'
Tue 25 Dec 2018 19:12:47       T:B54F5700        .   .   .   .   Returning AM_ERROR_HTTP_REQUEST_FAILED
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        .   }
Tue 25 Dec 2018 19:12:47     < T:B54F5700        }

 

I've been trying to get more information on the SSL error, but I've failed to get anything meaningful.

My setup:

  •  Ubuntu 16.10
  • openssl version 1.0.2g
  • Citrix Workspace app  1810 for Linux

 

Other combinations I tried so far:

  • Ubuntu 17.04 + openssl 1.02g + Workspace app 1810
  • Ubuntu 16.10 + openssl 1.1.j + Workspace app 1810
  • Ubuntu 16.10 + openssl 1.1.j + Citrix Receiver 13.5
  • Ubuntu 16.10 + openssl 1.1.j + Citrix Receiver 13.10
  • I tried setting SSLCiphers=ALL in module.ini and All_regions.ini

 

In all of the above combinations I get the same error. Any suggestions on how to overcome/fix this issue?

Thanks in advance

EDIT: after I posted the original question I performed 2 tests:

  1. I tried to open the URL that is triggering the error (https://citrix.some.org/discovery) using firefox and I got redirected to another page in the same server (https://citrix.some.org/vpn/index.html). No errors were reported
  2. I tried the same URL using CURL, and again, I get a redirection, but no errors. Maybe the Workspace app is not handling redirects? Do I need to allow redirects in some config file?

    ubuntu@ubuntu-VirtualBox:~$ curl -v https://citrix.some.org/discovery
    *   Trying 80.94.146.71...
    * Connected to citrix.some.org (xx.xx.xx.xx) port 443 (#0)
    * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
    * found 697 certificates in /etc/ssl/certs
    * ALPN, offering http/1.1
    * SSL connection using TLS1.0 / RSA_AES_256_CBC_SHA1
    *      server certificate verification OK
    *      server certificate status verification SKIPPED
    *      common name: citrix.some.org (matched)
    *      server certificate expiration date OK
    *      server certificate activation date OK
    *      certificate public key: RSA
    *      certificate version: #3
    *      subject: xxxxxxxxxxxxxxxxxxxxxxxxxx (anonimized)
    *      start date: Wed, 06 Sep 2017 00:00:00 GMT
    *      expire date: Thu, 05 Dec 2019 12:00:00 GMT
    *      issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
    *      compression: NULL
    * ALPN, server did not agree to a protocol
    > GET /discovery HTTP/1.1
    > Host: citrix.some.org
    > User-Agent: curl/7.50.1
    > Accept: */*
    >
    < HTTP/1.1 302 Object Moved
    < Location: /vpn/index.html
    < Connection: close
    < Content-Length: 534
    < Cache-control: no-cache, no-store
    < Pragma: no-cache
    < Content-Type: text/html
    <
    * Closing connection 0
    <html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><script type="text/javascript" src="/vpn/resources.js"></script><script type="text/javascript" language="javascript">var Resources = new ResourceManager("/vpn/resources/{lang}", "REDIRECTION_BODY");</script></head><body><span id="This object may be found "></span><a href="/vpn/index.html"><span id="here"></span></a><span id="Trailing phrase after here"></span><script type="text/javascript" language="javascript">Resources.Load();</script></body></html>

Edited by prubinst
Added more info to the original question
Link to comment

1 answer to this question

Recommended Posts

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...