Jump to content
Welcome to our new Citrix community!

"You do not have the proper encryption level to access this Session"


Bril licenses

Recommended Posts

I enabled default ssl profile on netscaler as part of troubleshooting a Mac OS connectivity issue.

The SSL settings:

image.thumb.png.7611d9754695fcffa564749bfccb5a3c.png

 

I am getting below error on accessing the VDIs

 

"You do not have the proper encryption level to access this Session"

 

I tried this to disable default ssl profile to undo the changes, however i cannot find the line in config file.

https://support.citrix.com/article/CTX227225/how-to-disable-default-ssl-profile

 

NS13.0 Build 88.14

Link to comment
Share on other sites

I'd suggest to first try to diagnose exactly what is wrong in the MacOS SSL connection. For this you can take a trace (network capture) and then look at the SSL handshake, it could tell you which SSL parameter is failing in the negotiation (SSL versions, chipers, etc). 

Then you can create a new ssl profile and make the necessary adjustments.

  • Like 1
Link to comment
Share on other sites

On 12/14/2023 at 6:28 PM, Felipe Ruiz1709162764 said:

I'd suggest to first try to diagnose exactly what is wrong in the MacOS SSL connection. For this you can take a trace (network capture) and then look at the SSL handshake, it could tell you which SSL parameter is failing in the negotiation (SSL versions, chipers, etc). 

Then you can create a new ssl profile and make the necessary adjustments.

Thanks for the reply.  I will try that. however my main concern now is that I have enabled default profile and maybe it has overwritten my existing SSL profile parameters.

this has affected the App/VDI connectivity from Windows clients also. even the light version .

How can i revert that? as I mentioned I checked the ns.conf file and I did not find the parameter

image.thumb.png.22b05a58cce38eba59341f8742e3b7af.png

Link to comment
Share on other sites

  • 2 weeks later...
On 12/18/2023 at 8:13 AM, Bril licenses said:

Thanks for the reply.  I will try that. however my main concern now is that I have enabled default profile and maybe it has overwritten my existing SSL profile parameters.

this has affected the App/VDI connectivity from Windows clients also. even the light version .

How can i revert that? as I mentioned I checked the ns.conf file and I did not find the parameter

image.thumb.png.22b05a58cce38eba59341f8742e3b7af.png

The "default SSL Profile" can't be undone. It changes the way NetScaler handles SSL, it would leave the box in an unstable state (believe me, I have tried for scientific reasons). It changes the way, SSL ciphers get bound to vServers. If you undo this change (it's just a line in ns.conf), it will crash the box or in the best case make all SSL vServers unusable.

 

"Default SSL profiles" are a great thing, and NetScaler will move to this in the near future, so we all have to go there. It leads to a more streamlined configuration. That's the reason why.

If you want to undo this change, you would have to restore an old ns.conf file.

 

I would rather address the problem with MacOS. The term is a bit misleading, as it's just BSD with a fancy shell. So it can adequately handle SSL. There are 2 reasons for the error message you get:

  1. it can't handle the SSL version desired (i.e. TLS 1.2, 1.3). If a box is unable to handle TLS 1.2, it's end of life. I would not go beyond TLS 1.2 anymore.
  2. it can't handle the cipher suites in use. You might read two of my blog articles about proper SSL handling: https://norz.at/?p=1314 (TLS 1.2) and  https://norz.at/?p=1358 (TLS 1.3).

In short, you will probably have to enable the right TLS version and bind decent SSL ciphers to the profile.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...