Requirement to use specifc set ciphers for communication between citrix licensing & citrix studio as there is a need to disable weak ciphers being used which includes SHA1 ciphers. 

 

Everything the license server supports is listed in \c$\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf\extra\httpd-ssl.conf"
Please note that the client also has a role to play in which protocols and ciphers get used (client & server handshake.

The protocols and ciphers are chosen by license SDK,  MMC studio uses the PowerShell SDK provided by license to communicate with license server. https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/1808/Licensing/about_LicLicensingAdminSnapin/ . 

The client and the server will negotiate which cipher should be used during client & server handshake.  From the configuration, the license server only defines which ciphers shouldn't be used.  The configuration item "SSLCipherSuite ALL:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4:!EXP:!CAMELLIA:!DH:!3DES" shows the low strength ciphers or ciphers with 128 bit encryption which should not be used shouldn't be used.

You can provide these ciphers in file c:\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf\extra\httpd-ssl.conf 

Example: 
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4:!EXP:!CAMELLIA:!DH:!3DES:!SHA1

If you are using older versions of Citrix including 1912, you may get the following error in Studio after making these chnages: 


You should be able to upgrade the Licensing Admin PowerShell snap-in on all machines running studio to fix the issue.

Install the Citrix Licensing PowerShell SnapIn (LicensingAdmin_PowerShellSnapIn_x64.msi) found on the XenDesktop installation media from 2203 on Studio where you have your older site , example: 1912 . 
Once installed, launch Studio again and you should now see the licenses from the Studio console. 

The LicensingAdmin_PowerShellSnapIn_x64.msi is the PowerShell SDK of license server management, it provides PowerShell cmdlets for license management. The studio calls those PowerShell cmdlets to communicate with the License server.
When this snapin is upgraded, the latest PowerShell cmdlets are used to communicate with the License server. This is why it can fix the issue.

The PowerShell is effectively a POSH to SOAP (HTTPS) interface.  The https parts have OpenSSL and/or SSLSDK to talk HTTPS back to the license server, that's the part that needs to understand ciphers and protocols that are supported by the license Server.
The SDK updates the supported list of Ciphers. 

Please note, 
Citrix will not be removing any Ciphers listed here because it can break backward compatibility with older Studio & Director integrations.
Customers can make changes like the above suggestion if they wish.  It will not impact the license server's ability to service licenses however it could impact Studio or Director integrations.  Citrix tries to strike a balance between being able to support the widest range of Citrix product versions and security.
 

---

Problem Cause

General Query

Customer would like to know what are the exact ciphers responsible for communication between citrix licensing & citrix studio. Their own customer has asked to disable the weak ciphers being used and that includes SHA1 family of ciphers, which probably are the ones used between citrix studio and Licensing server and if they disable those, the communication breaks. So, customer wants to know the following: Exactly which cipher gets used for communication ? How to check this ? What all ciphers citrix 1912 LTSR base version supports from both client and server perspective. (Client being the citrix studio and server being the licensing server.)