Citrix Workspace app 1904 for Windows – Unable to connect to the server SSL Error 4

To resolve this issue:

Option 1 (recommended):

Update the Gateway with a compatible cipher suite (See Cryptographic Update for supported cipher suites), following the steps outlined in: CTX235509


Option 2:

Note: This should be considered a short-term workaround, since previous versions of CWA contains a security vulnerability; see CTX251986 for details

Uninstall Citrix Workspace app 1904 (See Control Panel –> Programs –> Uninstall a Program )

Download and install Citrix Workspace app 1903 from here: Download link

Related:

Secure Mail iOS 19.3.5 and Secure Mail Android 19.6.0 Not Able to Create Account or Connection Error

Before users can create an account in Secure Mail for iOS version 19.3.5 or Secure Mail Android 19.6.0, you must do the following:

1. On Citrix ADC, the following cipher suite value must be added in the SSL Ciphers option: – ECDHE-RSA-AES256-GCM-SHA384.

Note: If the ciphers are already bound, go to step 2.

For details, see https://docs.citrix.com/en-us/netscaler/12/ssl/ciphers-available-on-the-citrix-ADC-appliances/configure-user-defined-cipher-groups-on-the-adc-appliance.html


2. Bind Enable Elliptical Curve Cryptography (ECC).

For details, see ECDSA cipher suites support in the Citrix ADC 12.1 documentation https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdhe-ciphers.html.

For FIPS enabled environments, verify that the RSA key size for identity certificate (i.e. server certificate), intermediate certificates, and your root certificate are 2048 or 3072 bits. We do not currently support an RSA key size of 4096 bits in a FIPS-enabled environment . The new crypto library checks for key size and will reject the connection.

For configuration information see the following Citrix support article: https://support.citrix.com/article/CTX205289

Related:

Overview of the Crypto Kit updates in Citrix Workspace 19.04

Applicable Products

Citrix Workspace App 1904 for Windows and later.

Note: Citrix Workspace app 1904 for Windows has not been released publicly. This article serves as early notice to IT administrators so that they can take necessary action in advance. This will enable end users to install/upgrade to Citrix Workspace app 1904 for Windows seamlessly.

Objective

This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_ do not offer forward secrecy and are considered weak. These cipher suites were deprecated in Citrix Receiver version 13.10 with an option for backward compatibility.

In this release, the TLS_RSA_ cipher suites have been removed entirely. Instead, this release supports the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers. This release supports 1536-bit RSA keys for client authentication.

This document aims to detail the changes to the cipher suites.

What’s New?

The following advanced cipher suites are supported:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

In earlier releases, the GPO configuration that was available under the below Computer Configuration node and which allowed to enable the deprecated cipher suites has been removed now.

Administrative Template > Citrix Component > Citrix Workspace > Network Routing > Deprecated Cipher Suites


The following cipher matrix provides the ciphers supported by the latest SSL SDK:

Expected failure scenarios and edge cases

  • TCP

    • OPEN mode: Session launch is not supported when the client is configured for GOV and the VDA for COM. This happens because a common cipher suite is absent.

    • FIPS/NIST(SP800-52) compliance mode: Session launch is not supported when the VDA is configured for COM the client for COM, GOV, or ANY, or the other way around. This happens because a common cipher suite is absent.
  • DTLS v1.0 supports the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • DTLS v1.2 supports the following cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • Therefore, session launch is not supported from a client configured for GOV to a VDA configured for COM. Also, fallback to TCP is not supported. When you use DTLS v1.0, session launch is not supported for clients configured for GOV because a common cipher suite is absent.

.

The following matrices provide details of internal and external network connections:

  • Matrix for internal network connections (Citrix Gateway scenario)

  • Matrix for external network connections (Citrix Gateway scenario)

Related:

Secure Mail iOS 19.3.5 Not Able to Create Account or Connection Error

Before users can create an account in Secure Mail for iOS version 19.3.5, you must do the following:

1. On Citrix ADC, the following cipher suite value must be added in the SSL Ciphers option: – ECDHE-RSA-AES256-GCM-SHA384.

Note: If the ciphers are already bound, go to step 2.

For details, see https://docs.citrix.com/en-us/netscaler/12/ssl/ciphers-available-on-the-citrix-ADC-appliances/configure-user-defined-cipher-groups-on-the-adc-appliance.html


2. Bind Enable Elliptical Curve Cryptography (ECC).

For details, see ECDSA cipher suites support in the Citrix ADC 12.1 documentation https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdhe-ciphers.html.

For FIPS enabled environments, verify that the RSA key size for identity certificate (i.e. server certificate), intermediate certificates, and your root certificate are 2048 or 3072 bits. We do not currently support an RSA key size of 4096 bits in a FIPS-enabled environment . The new crypto library checks for key size and will reject the connection.

For configuration information see the following Citrix support article: https://support.citrix.com/article/CTX205289

Related:

Agent Initialization Pending/Agent not registered yet

I need a solution

Hello,
the Altiris agent installed of some machines of my organization can’t communicate with the server properly (please see the attached screen capture).

Also, the log report multiple error and warning messages like these:

<event date=’03/26/2019 16:59:01.2150000 +03:00′ severity=’4′ hostName=’xxxxxxxx’ source=’ConfigServer’ module=’AeXNSAgent.exe’ process=’AeXNSAgent.exe’ pid=’8748′ thread=’992′ tickCount=’226679062′ >
  <![CDATA[Configure Server Mode: Access credentials are missing or incomplete, error: The system cannot find the file specified (0x00000002)]]>
</event>

<event date=’03/26/2019 16:59:02.1000000 +03:00′ severity=’1′ hostName=’EMEANUC8782-09′ source=’NetworkOperation’ module=’AeXNetComms.dll’ process=’AeXNSAgent.exe’ pid=’8748′ thread=’992′ tickCount=’226679953′ >
  <![CDATA[Operation ‘Direct: Head’ failed. 
Protocol: HTTPS 
Host:xxxxxxx.net:443 
Path: /altiris/NS/Agent/GetClientCertificate.aspx 
Connection Id: 18.8748 
Communication profile Id: {xxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx} 
Error type: HTTP error 
Error code: HTTP status 403: The client does not have sufficient access rights (0x8FA10193) 
Error note: Empty response content received 
Server HTTPS connection info: 
   Server certificate: 
      Serial number: xxxxxxxxxxx
      Thumbprint: xxxxxxxxxxxxxxxxxxxxxxxx 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: xxxxxxxxxxxxxxxxxxxxxxxxxxx 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm: SHA384 
   Hash length: 384 
   Key exc
hange algorithm: ECDH 
   Key length: 256]]>
</event>

<event date=’03/26/2019 16:59:02.1040000 +03:00′ severity=’2′ hostName=xxxxxxxxxxxx’ source=’ConfigServer’ module=’AeXNSAgent.exe’ process=’AeXNSAgent.exe’ pid=’8748′ thread=’992′ tickCount=’226679953′ >
  <![CDATA[Request ‘https://xxxxxxxxxxxxxxnet:443/altiris/NS/Agent/GetClientCertificate.aspx’ failed, COM error: HTTP status 403: The client does not have sufficient access rights (0x8FA10193)]]>
</event>

<event date=’03/26/2019 16:59:02.1050000 +03:00′ severity=’2′ hostName=’xxxxxxxx’ source=’ConfigServer’ module=’AeXNSAgent.exe’ process=’AeXNSAgent.exe’ pid=’8748′ thread=’992′ tickCount=’226679953′ >
  <![CDATA[Failed to receive CEM certificates from https://xxxxxxxx.net:443/altiris/NS/Agent/GetClien… in direct mode, error: Unspecified error (0x80004005)]]>
</event>

Any idea?
I already tried to unistall and install the agent again, GUID reset, privileges granteed to the Altiris folder, etc.
Can it be a firewall problem?

Please help!

0

Related:

  • No Related Posts

FAQ: NetScaler SSL Cipher

Q: Does NetScaler 10.5 support SHA-2 ciphers?

A: SHA-2 ciphers are supported on NetScaler from release 10.5 build 53.9.

From release 10.5 build 53.9, ECDHE, AES-GCM, and SHA-2 ciphers are part of the default group. ECDHE/DHE cipher suites must be used to achieve Perfect Forward Secrecy (PFS). However, ECDHE, AES-GCM, and SHA-2 ciphers are supported on the front end SSL entities only. From NetScaler 11.1, ECDHE,AES-GCM and SHA-2 are supported on the Backend entities too.

For more information refer to Citrix Documentation – Ciphers Supported by the NetScaler Appliance

Related:

  • No Related Posts

ECS 3.1 and higher only supports TLS version 1.2

Article Number: 513482 Article Version: 7 Article Type: Break Fix



Elastic Cloud Storage,ECS Appliance,ECS Appliance Software with Encryption 3.1,ECS Appliance Software without Encryption 3.1,ECS Software

ECS 3.1 and higher only supports TLS version 1.2

Change in ECS to more secure version of TLS.

Upgrade to ECS 3.1.x or higher.

As part of the upgrade to ECS 3.1.x code the Transport Layer Security (TLS) version would be also upgraded to 1.2. Please be sure to discuss this change with our customers during the planning phase and pre-checks to prevent any possible impact to our customers.

Before the upgrade, please ensure all Application Servers and Gateway Servers and Load Balancers connecting to the ECS support TLS 1.2. TLS was also known as SSL (Secure Socket Layer).

Below is the default supported configuration. The value inside parenthesis can be management, data or both

matrix

Related:

Weak Dillie Helmut encryption enforced on messagelabs servers

I do not need a solution (just sharing information)

Hello,

We just resolved an issue emailing to multiple messagelabs customers.

After a new exchange 2016 server got configured (with microsoft best practice security guidelines) we couldnt email to multiple domains who happen use messagelabs.

Errors we got in protocollog smtpsend:

TLS negotiation failed with error InvalidToken

421 Service Temporarily Unavailable

After troubleshooting we found that a Diffie-Helmann cipher suite was forced to be 2048bit on our exchange server but the MessageLabs servers only accepted worse/lower encrypted communication(i.e. 512/1024bit). 

More information about this issue:

https://weakdh.org/

Could this issue be resolved?

Sincerely,

Mark

0

Related:

Receiver for Windows 4.11 | Error “Unable to connect to the server. error SSL Error 4”

Microsoft introduced new set of ciphers, in their update KB2919355, which is applicable to Windows 8.1 and Windows Server 2012 R2 operating systems.

The following cipher suites are enabled and in this priority order by default by the Microsoft Schannel Provider:

Cipher suite string Allowed by SCH_USE_STRONG_CRYPTO TLS/SSL Protocol Versions
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 Yes TLS 1.0, 1.1, 1.2


Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Android 3.12.2/3.12.3 and Receiver for Linux 13.6 introduce these ECDHE ciphers which trigger this defect.

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Install KB2919355 on all Windows 8.1 client machines.

Related:

Secure ICA Traffic – SSL Connection Fails to Windows 10 VDA or 2016 Server VDA

An additional step is necessary when the VDA is on a Windows Server 2016 or later, or Windows 10 Anniversary Edition or later. This affects connections from Citrix Receiver for Windows 4.6. On the VDA (Windows Server 2016 or Windows 10 Anniversary Edition or later), using the Group Policy Editor, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note: The first four items also specify the elliptic curve, P384 or P256. Ensure that “curve25519” is not selected. FIPS Mode does not prevent the use of “curve25519”. When this Group Policy setting is configured, the VDA will select a cipher suite only if appears in both lists: the Group Policy list and the list for the selected compliance mode (COM, GOV, or ALL). The cipher suite must also appear in the list sent by the client (Citrix Receiver or StoreFront). This Group Policy configuration also affects other TLS applications and services on the VDA. If your applications require specific cipher suites, you may need to add them to this Group Policy list.

Related: