Device SSL Handshake Fails While Enrolling in iOS 12
Article ID: CTX238375
Updated On:
Description
Since upgrading to iOS12, devices are unable to enroll. SSL error is raised by the device.
Resolution
With iOS 12, Apple has changed the supported ciphers on the client side, which is now limited to the ones supporting Prefect Forward Secrecy:
A Handshake failure will result if the MDM Load Balancer is not supporting the above ciphers, and connection will be reset:
Enable the ECDHE ciphers on the NetScaler MDM Load Balancer and Gateway in order to prevent the issue.
Also you must bind ECC curves to the Vservers in order for ECDHE ciphers to be used.
Note: FIPs Modules in NetScaler cannot utilize all the ECDHE ciphers, so you cannot add the entire ECDHE group to the Load Balancer and Gateway. If you try you will receive an error. You can add the below ciphers for ECDHE support. Note that your HSM module must be at Version 2.2, and FIPs NetScaler must be Version 11.1-51.x or newer, refer to https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances.html. To check the FIPs module version, use the command "show fips".
A Handshake failure will result if the MDM Load Balancer is not supporting the above ciphers, and connection will be reset:
Enable the ECDHE ciphers on the NetScaler MDM Load Balancer and Gateway in order to prevent the issue.
Also you must bind ECC curves to the Vservers in order for ECDHE ciphers to be used.
Note: FIPs Modules in NetScaler cannot utilize all the ECDHE ciphers, so you cannot add the entire ECDHE group to the Load Balancer and Gateway. If you try you will receive an error. You can add the below ciphers for ECDHE support. Note that your HSM module must be at Version 2.2, and FIPs NetScaler must be Version 11.1-51.x or newer, refer to https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances.html. To check the FIPs module version, use the command "show fips".
TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
TLS1-ECDHE-RSA-AES128-SHA
TLS1.2-ECDHE-RSA-AES-256-SHA384
TLS1.2-ECDHE-RSA-AES-128-SHA256
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
Problem Cause
Unsupported Ciphers for the MDM Load BalancerAdditional Information
NetScaler documentation for Handshake Failure:
https://support.citrix.com/article/CTX124731
Apple reference document for iOS 12 Security:
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
NetScaler Cipher Support Matrix:
https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances.html
https://support.citrix.com/article/CTX124731
Apple reference document for iOS 12 Security:
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf
NetScaler Cipher Support Matrix:
https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances.html
Was this article helpful?
Yes
No
Powered by
