How to troubleshoot SSL Encryption for Linux VDA

book

Article ID: CTX230022

calendar_today

Updated On:

Description

This article provides general guidance to troubleshoot SSL Encryption for Secure User Sessions feature of Linux VDA.

Instructions

In this article, we provide some general troubleshooting guidance on how SSL Encryption works on Linux VDA, how to check if SSL encryption is enabled correctly and how to get more detailed logging of SSL Encryption.

How SSL functionality works in Linux VDA

We performed the following changes to provide SSL functionality for Linux VDA:

Modified the underlying ICA Transport Driver (TD) with SSL protocol layer added.
Added new key “ssl” under ConfDB path “HKLM\System\CurrentControlSet\Control\Citrix\WinStations” for the SSL listener to function with proper initial values. You can get all related keys from command:

/opt/Citrix/VDA/bin/ctxreg list -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl"

Created a configuration script (/opt/Citrix/VDA/sbin/enable_vdassl.sh), which can be used to enable/disable SSL encryption, configure SSL settings and perform other necessary steps to make the SSL listener work. It mainly focus on following parameters under registry key HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl:

Parameter Name	Description & Value
fEnableWinStation	Enable(0x00000001)/Disable (0x00000000) SSL encryption, disabled by default.
`PortNumber`	SSL port number, default: 443
`SSLMinVersion`	Minimum SSL version it supports: 2: stands for "TLS_1.0" 3: stands for "TLS_1.1" 4: stands for "TLS_1.2" (default value)
`SSLCipherSuite`	SSL cipher suite: 1: stands for "GOV" 2: stands for "COM" 3: stands for "ALL" (default value)
`SSLCertName`	Server certificate name
`SSLKeyStore`	Certificate keystore, default: /etc/xdl/.sslkeystore

You can get detailed help information of this tool through following command:

/opt/Citrix/VDA/sbin/enable_vdassl.sh -h

Updated HDX service to support SSL listener

How to check if SSL encryption is enabled correctly

On the Delivery Controller, make sure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True). Execute the following commands in a PowerShell window on the Delivery Controller:
# Asnp citrix.*
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled

Note: <GROUPNAME> is the target Delivery Group name, for example:
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘sin-centos73’ | format-list HdxSslEnabled

# Get-BrokerSite |format-list DnsResolutionEnabled

On Linux VDA, check the following:
1. SSL listener is up and running, run following command:

[root@sin-centos73 ~]# netstat -lptn|grep ctxhdx
tcp6    0    0 :::1494     :::*     LISTEN    12942/ctxhdx
tcp6    0    0 :::443      :::*     LISTEN    12942/ctxhdx
tcp6    0    0 :::2598     :::*     LISTEN    12942/ctxhdx

If the ctxhdx process is not listening on SSL port (443, by default), check registry key and make sure fEnableWinStation is enabled:

[root@sin-centos73 ~]# /opt/Citrix/VDA/bin/ctxreg read -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "fEnableWinStation"

0x00000001
If the key was not enabled, enable it and restart HDX service:
[root@sin-centos73 ~]# /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "fEnableWinStation" -d 0x00000001
[root@sin-centos73 ~]# sudo /sbin/service ctxhdx restart

If registry key is enabled correctly but the ctxhdx process still doesn’t listen on SSL port, check the server certificate and CA certificate, make sure you’re using the correct certificates and they were located in /etc/xdl/.sslkeystore/certs and /etc/xdl/.sslkeystore/cacerts respectively.
Check /var/log/xdl/hdx.log for any other possible errors.

How to get more detailed logging of SSL Encryption

SSH to Linux VDA server
Set TD/TD_INPUT/TD_OUTPUT log level to VERBOSE use command setlog:

/opt/Citrix/VDA/bin/setlog level TD VERBOSE
/opt/Citrix/VDA/bin/setlog level TD_INPUT VERBOSE
/opt/Citrix/VDA/bin/setlog level TD_OUTPUT VERBOSE

Restart HDX service: sudo /sbin/service ctxhdx restart
Look for “TdSsl*” and “TdTcp*” lines in /var/log/xdl/hdx.log. Here is an example:

2017-11-19 13:48:55.837 <P12942> citrix-ctxhdx: TdTcpListenerThread: Using socket 23
2017-11-19 13:48:55.837 <P12942> citrix-ctxhdx: TdTcpRead: Entry
2017-11-19 13:48:55.837 <P12942> citrix-ctxhdx: TdTcpRead: socket 23
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdTcpRead: read 111 bytes
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslRead: Entry: td_connetion:0x1fda300
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslRead: : p_in_buffer[0]= 22, p_in_buffer[5] = 1
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslRead: SSL Signature has been detected.
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslConnectionCreate: Entry: 0x1fda300
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslConnectionCreate: td_ssl= 0x1f491c0 port=443 InputBufSize=2048 OutputBufSize=1684
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslConnectionCreate: Exit: status = SUCCESS
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslRead: Process SSL frame
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslRead: TdSslRead: Received 111 bytes of SSL Handshake data
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslHandshake: Entry TdSslHandshake: listeningContext=0x1fda000, p_in_buffer=0x2137800, in_bytes=111, pOutBuffer=0x215c000, OutBuffereLength=8192
2017-11-19 13:48:55.840 <P12942> citrix-ctxhdx: TdSslHandshake: SSLHandShake: 22, 1
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdSslHandshake: Sending 1989 bytes back to the Client
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdTcpWrite: Entry: td_connection:0x1fda300
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdTcpWrite: fd:23, buf:0x215c000, bytes:1989
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdTcpWrite: write: 1989 bytes, 0 bytes left
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdTcpWrite: Exit: SUCCESS
2017-11-19 13:48:55.842 <P12942> citrix-ctxhdx: TdSslHandshake: Exit TdSslHandshake(), status=0
…
2017-11-19 13:48:56.113 <P12942> citrix-ctxhdx: TdSslRead: TdSslHandshake completed!
2017-11-19 13:48:56.113 <P12942> citrix-ctxhdx: TdSslRead: Exit: TdSslRead(), status=SUCCESS
2017-11-19 13:48:56.113 <P12942> citrix-ctxhdx: TdTcpRead: Exit: SUCCESS

For general ICA connection troubleshooting purpose, you may also need to collect CDF traces of Citrix Receiver at client host.

Issue/Introduction

This article provides general guidance to troubleshoot SSL Encryption for Secure User Sessions feature of Linux VDA. This feature is available on Linux VDA 7.16 and above

Additional Information

How to enable or disable SSL Encryption For Secure User Sessions

Error:"SSL Error 61 You hav not chosen to trust "*.x.x", the issuer of the server's security certificate"

Error:"Cannot resolve the SSL Host name xxx.xxx.xxx (SSL error 40)"

Error:"The Citrix SSL Server you have selected is not accepting connections"

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"