Cryptographic Update in Citrix Workspace App for Android
Article ID: CTX261028
Updated On:
Description
This article is intended for Citrix administrators and technical teams only.
Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.
Objective
This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_, RC4 and 3DES do not offer forward secrecy and are considered weak. In Citrix Workspace app TLS_RSA support is removed.
From 2020, Citrix Workspace app will support the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers. And We are removing support for TLS_RSA_ ciphers which are not secure ciphers.
This document aims to provide details of the changes to the cipher suites.
What’s New?
The following advanced cipher suites will be supported:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) GOV
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) GOV
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) COM
TLS v1.0 supports the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS v1.2 supports the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Expected failure scenarios and edge cases
- Citrix Workspace app does support DTLS v1.0, TLS v1.0, DTLS v1.2, TLS v1.2
- Citrix Gateway version 12.1 or higher does support DTLS v1.0. For Citrix Gateway ciphers troubleshooting, see Knowledge Center article https://support.citrix.com/article/CTX235509
- TLS_RSA _ ciphers not supported by Citrix Workspace app.
- If you are using DTLS v1.2 with Citrix Gateway 12.0 and earlier, the session fails. In this case, the session falls back to TLS v1.2 only if the Adaptive Transport policy is set to the Preferred mode in the DDC.
The following matrices provide details of internal and external network connections:
- Matrix for internal network connections
|
Client Cipher Set |
VDA Cipher Set |
Direct Connections | ||
|
TLS |
DTLS v1.0 |
DTLS v1.2 | ||
|
Open |
Open |
Open | ||
|
ANY |
ANY |
Pass |
Pass |
Pass |
|
COM |
Pass |
Pass |
Pass | |
|
GOV |
Pass |
NS |
Pass | |
|
Note: | ||||
- Matrix for external network connections (Citrix Gateway scenario)
|
Client Cipher Set |
VDA Cipher Set |
External Connections with NSG | ||
|
TLS |
DTLS v1.0 |
DTLS v1.2 | ||
|
Open |
Open |
Open | ||
|
ANY |
ANY |
Pass |
Pass |
NS |
|
COM |
Pass |
Pass |
NS | |
|
GOV |
Pass |
NS |
NS | |
|
Note: | ||||
Issue/Introduction
