Jump to content
Welcome to our new Citrix community!
  • 0

Workspace App 1904.1/19.4.1.31 - SSL Error 47 when Connecting to Secure Gateway


Joe Robinson

Question

We are about two months out from finally getting away from Secure Gateway/Web Interface and moving to Citrix Gateway/Storefront.   

 

Last week a vulnerability report was released for all versions of the Receiver/Workspace app.  1904.1 was released as a recommended upgrade to mitigate this vulnerability.  As my users began installing this version, we found that it was preventing our users from accessing our environment through secure gateway.  Users can log into the client and enumerate applications, but when they try to launch an application it fails.  Everything appears normal -- The client logon box opens up and the progress bar starts to spin.  After a few seconds, an error pops up:

 

Unable to Connect to the server.  Contact your System Administrator with the following error: SSL Error 47: The server sent an SSL alert: sslv3 alert handshake failure (alert number unavailable)

 

It's my understanding that SSL3 was removed from Receiver years ago, so I'm not sure that I'm hunting down a valid error.  However, I did verify that our secure gateway servers were fully patched, with SSL3 disabled at the OS level as well as SSL3 disabled in Secure Gateway.  I verified that the error was happening when the users connected directly to the secure gateway box.  The user never appears to complete a connection through secure gateway (no entry in the console for their session).

 

I'm not really sure where else to look on this issue.  I've done SSL3 scans from third parties, and they all report the same -- no ssl3 enabled.  However, it appears workspace wants to try to connect via SSL3 and it can't -- or something is generating a bogus error.  

 

Everything worked fine with the previous clients.  It was only 1904.1 that causes this issue.  Rolling back a version works fine.  I don't see anything in the notes that would suggest this problem would occur.

 

If anyone has any suggestions, I'd be very grateful!

 

Thank you so much.

-joe

 

 

Link to comment

10 answers to this question

Recommended Posts

  • 0

I'm just doing an SSL bridge on the netscaler -- I don't think SSL Ciphers would come into play since it's not offloading, would it?

 

I agree, though -- I think it's a cipher on the Secure Gateway box.  They're all enabled (not that you have many options!), so that would just leave me to believe that Workspace App  1904 is the first one that will not work with Secure Gateway.  Seems like a worthy line item to note in the patch notes!  <hint><hint>

 

 

Link to comment
  • 0

We have also seen this behavior from users coming into the environment externally through our Netscalers where the users are running Receiver 4.5 and later.  In most cases, updating them to 1904.1 immediately resolved the issue.  I've subsequently found that just doing a Reset Receiver from Advanced Preferences will allow them to connect with the old Receiver versions.   A different group manages our Netscalers, and I don't know if something was changed with Ciphers on the NS side of things that precipitated this, or if it was an update that this particular ERP vendor had pushed to their users.  Every incident we saw with this problem was from users who are employees of a single vendor.  No complaints from anyone else and we have a lot of external contractors/vendors coming into the environment.

 

When updating to 1904.1, some users had to click the Activate button after logging into Storefront in order to apply the CR file before they could launch applications, even when they were using the Storefront site instead of Workspace.

Link to comment
  • 0

Exact same ssl 47 issue here. I followed same path as joe. Citrix definitely changed something in later workspace clients. We’re still using secure gateway for windows, at latest version that goes v 3.3.5. We are rolling clients back to receiver 4.9 LTSR as a fix, which is still patched for vulnerabilities and that version works ok. We have a new netscaler secure gateway in test and don’t see the error there. Will be cutting over to that soon but any help or a fix on the original ssl 47 error will be much appreciated. 

Link to comment
  • 0

thanks for responses.  it seems 1904 and later windows desktop version is not supporting tls 1.0. The mobile workspace client for iphones has a configurable option to enable tls1.0 support and it is able to connect through older sg for windows which uses tls 1.0. when changing the mobile client to tls 1.1 and 1.2 only, i receive the ssl error. the windows desktop version of workspace does not have the option to change the tls versions. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...