Cryptographic Update in Citrix Workspace App for Android

Objective

This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_, RC4 and 3DES do not offer forward secrecy and are considered weak. In Citrix Workspace app TLS_RSA support is removed.

From 2020, Citrix Workspace app will support the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers. And We are removing support for TLS_RSA_ ciphers which are not secure ciphers.

This document aims to provide details of the changes to the cipher suites.

What’s New?

The following advanced cipher suites will be supported:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) GOV
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) GOV
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) COM

TLS v1.0 supports the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS v1.2 supports the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Expected failure scenarios and edge cases

  • Citrix Workspace app does support DTLS v1.0, TLS v1.0, DTLS v1.2, TLS v1.2
  • Citrix Gateway version 12.1 or higher does support DTLS v1.0. For Citrix Gateway ciphers troubleshooting, see Knowledge Center article https://support.citrix.com/article/CTX235509
  • TLS_RSA _ ciphers not supported by Citrix Workspace app.
  • If you are using DTLS v1.2 with Citrix Gateway 12.0 and earlier, the session fails. In this case, the session falls back to TLS v1.2 only if the Adaptive Transport policy is set to the Preferred mode in the DDC.

The following matrices provide details of internal and external network connections:

  • Matrix for internal network connections

Client Cipher Set

VDA Cipher Set

Direct Connections

TLS

DTLS v1.0

DTLS v1.2

Open

Open

Open

ANY

ANY

Pass

Pass

Pass

COM

Pass

Pass

Pass

GOV

Pass

NS

Pass

Note:

NS – Functionality not supported

This scenario is tested with VDA 1912

  • Matrix for external network connections (Citrix Gateway scenario)

Client Cipher Set

VDA Cipher Set

External Connections with NSG

TLS

DTLS v1.0

DTLS v1.2

Open

Open

Open

ANY

ANY

Pass

Pass

NS

COM

Pass

Pass

NS

GOV

Pass

NS

NS

Note:

NS – Functionality not supported

This scenario is tested with VDA 1912, NS version 12.x

Related:

  • No Related Posts

Leave a Reply