Cryptographic Update in Citrix Workspace App for Android

Objective:

This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_, RC4 and 3DES do not offer forward secrecy and are considered weak. Citrix will support these cipher suites only till the end of 2019.

From 2020, Citrix Workspace app will support the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers.

This document aims to provide details of the changes to the cipher suites.

What’s New?

The following advanced cipher suites will be supported:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Expected failure scenarios and edge cases

  • Citrix Workspace app does not support DTLS v1.2.
  • Citrix Gateway does not support DTLS v1.2. For Citrix Gateway ciphers troubleshooting, see Knowledge Center article https://support.citrix.com/article/CTX235509.
  • DTLS v1.0 supports the following cipher suite:
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • DTLS v1.0 in external connections requires Citrix Gateway Version 12.1 and later.

If you are using DTLS v1.0 with Citrix Version 12.0 and earlier, the session fails. In this case, the session falls back to TLS v1.2 only if the Adaptive Transport policy is set to the Preferred mode in the DDC.

  • Citrix Workspace app does not support COM and GOV Client Cipher Sets.

The following matrices provide details of internal and external network connections:

  • Matrix for internal network connections
Client Cipher set VDA Cipher set Direct Connections
TLS DTLS v1.0 DTLS v1.2
Open Open Open
ANY ANY Pass Pass NS
COM Pass Pass NS
GOV Pass NS NS
Note:

NS – Functionality not supported

This scenario is tested with VDA 1906
  • Matrix for external network connections (Citrix Gateway scenario)
Client Cipher Set VDA Cipher Set External Connections with NSG
TLS DTLS v1.0 DTLS v1.2
Open Open Open
ANY ANY Pass Pass NS
COM Pass Pass NS
GOV Pass NS NS
Note:

NS – Functionality not supported

This scenario is tested with VDA 1906

Related:

  • No Related Posts

Leave a Reply