Jump to content
Welcome to our new Citrix community!

Issue with XenApp 6.5 over Netscaler with Citrix Workspace App


Marc Kuhn

Recommended Posts

Hi guys

 

i have an issue, which i can't solve. We would like to have a Citrix Gateway configured to have access to an old XenApp 6.5 environment. This is what i see in the syslog:

 

Quote

2020-02-26 09:32:15    Local0.Debug    02/26/2020:09:31:34   0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 14349 0 :  SPCBId 2291 - ClientIP  - ClientPort 35983 - VserverServiceIP  - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "NA" - Reason "No shared cipher"

 

Our customer has Citrix Workspace and need to have access to the Citrix environment as soon as possible. When i run SSLLabs against my Netscaler, i have that configured. 

 

Are you able to give my any hint on how i can solve that?

 

Many thanks and best regards,

Marc

2020-02-26_09-31-42.jpg

2020-02-26_09-36-52.jpg

Link to comment
Share on other sites

I checked also with our Firewall guy, if there is any drops between the Netscaler in the DMZ and the DeliveryControllers/Storefronts or Citrix Servers, but there aren't any of them. I played a lot with the protocols and ciphers and have it now i think like they are okey.

 

In the Syslog i still see that error:

 

Quote

VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "NA" - Reason "No shared cipher"

 

From the client itself i receive that messages (see attachment).

 

Best regards,
Marc

 

 

2020-02-26_11-35-52.jpg

Link to comment
Share on other sites

Hi guys

 

still trying to get this up and running but not luck with it. I'm doing now a downgrade to an older 12 version of Netscaler knowing that this is a security risk but just checking if the issue is just with newer firmwares.

 

The bad thing is i don't see something in the event logs on the storefronts or the citrix server or the syslog from the netscaler which gives me a hint

 

Nobody has any good ideas?

 

Best regards,

Marc

Link to comment
Share on other sites

Hi

 

yes, i have tested it, with Workspace 1903 i can connect over Secure Gateway as well as over the Netscaler. It seems that with removing the ciphers in the app i lost the compability to XenApp 6.5.

 

I tested a lot on the Netscaler itself, but i'm not able to connect even when "ALL" ciphers are configured. Do i need to change something on the Server 2008 R2 with XenApp 6.5 to be able to connect?

Link to comment
Share on other sites

i looked over and over to it, this seems to be exactly my issue, this are my settings i have:

 

- Enabled Default Profile

 

1.thumb.jpg.83ac593f26de9ecdd15f2f8c50b55fa8.jpg

 

- Reconfigured ns_default_ssl_profile_backend (ciphergroups rsa & sha2)

2.thumb.jpg.bfe18b9e306e45e3b46555f80213a5a7.jpg

 

After that i retested it i i don't see any change, eventhough i think that is the right place with the default_ssl_profile_backend.

 

Best regards,

Marc

Link to comment
Share on other sites

You configured it right. but in article https://support.citrix.com/article/CTX235509 under Objective they specifically name Citrix Receiver 4.12.

 

In this doc (https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html) they speak about the removal of specific cipher suite TLS_RSA, they also say the more advanced TLS_ECDHE_RSA is supported. 

 

In your screenshot you only see TLS_ECDHE_ECDSA which is not on the list in this doc.

 

The following advanced cipher suites are supported:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

DTLS v1.0 supports the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

DTLS v1.2 supports the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

 

With a analyse of our environment with ssllabs i see the following:

 

image.thumb.png.d1167cf0e1ad930686ceb59acb1b1cb2.png

 

There is is difference between yours and mines

 

Maybe you have to order a new certificate, but i don't know if this resolves the issue.

  • Like 1
Link to comment
Share on other sites

okey, that sounds interesting. What i don't get is: I changed it in the ns_default_ssl_profile_backend, but the SSLLabs scanner is checking the VIP with another SSL Profile i have. Which one is the wrong one?

 

I ran now another scan, the result is this:

 

3.thumb.jpg.3ed147855749f567771af20f0398e789.jpg

 

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256

# TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256

# TLS 1.0 (suites in server-preferred order)

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK

 

I don't see that ciphers which are supported. Do you think that is only possible to change with a new certificate?

 

Many thanks for your help on that

Link to comment
Share on other sites

Maybe you can take a look and verify the following:

https://support.citrix.com/article/CTX124153

https://support.citrix.com/article/CTX230024

 

On one fora they say the following:

 "To resolve it, use the ReceiverCleanupUtility to fully remove receiver from the PC, reboot then install receiver"

 

There are so many directions further i have no idea how to solve this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...