Compatibility of NetScaler with TLS 1.1 - 1.2 and Client Authentication with Citrix Receiver
Article ID: CTX217010
Updated On:
Description
- NetScaler Gateway(NG) 11.0 version enabled for Client Certificate(CC) authentication with TLS 1.1,TLS1.2 enabled.
- Citrix Receiver 4.3 or 4.4 installed on Client Machine.
- During logon to Gateway, browser pop up to select client Certificate and then successfully login to enumerate the Applications from Storefront 3.x
- When an Application is being launched either CR 4.3/4.4 with ClientCert=Enabled & TLS1.2 on NG, the following error is displayed: “SSL error 47, an unclassified SSL network error occurred | error code :error:1409441A:SSL routines: SSL3_READ_BYTES:tlsvl alert decode error)”
- Packet capture shows the CC field = 0 when TLS1.2 is used & with TLS1.1 the CC value is of 3270bytes.
- When disabling TLS1.2 on NG, both CR versions are able to successfully connect & launch application.
Resolution
Issue not with NetScaler, Citrix Receiver software problem.
Problem Cause
SSL libraries used by the Receiver 4.3/4.4 had issues.Additional Information
as per http://docs.citrix.com/en-us/receiver/windows/4-2/receiver-windows-42-about.html, support for TLS1.2 was introduced in receiver 4.2 and hence 4.1 was still using TLS1.0 and was working.In order to resolve the issue in this case, use the "Microsoft Enhanced RSA and AES Cryptographic Provider" for all certificates issued to clients/users in use scenarios where TLS_1.2 is enforced by the NetScaler. There are two ways to achieve this. The first is to use OpenSSL to change the client certificate's provider name to "Microsoft Enhanced RSA and AES Cryptographic Provider". However, this would need be done for every client certificate. The second (and more efficient method) is to reissue the client certificate, ensuring that the issuing CA uses the "Microsoft Enhanced RSA and AES Cryptographic Provider".
1-Client Auth - OFF with TLS 1.2 ==> works/app-launch with all versions of Receiver
2-Client Auth - Mandatory with TLS 1.1/1.0 ==> works/app-launch with all versions of Receiver
3-Client Auth - Mandatory with TLS 1.2 ==> Only works with older receiver v3.4 but fail for latest v4.3/v4.4
4-Client Auth - Mandatory with TLS 1.0/1.1/1.2 ==> only works with older receiver v3.4 and not for latest v4.3/v4.4
1-Client Auth - OFF with TLS 1.2 ==> works/app-launch with all versions of Receiver
2-Client Auth - Mandatory with TLS 1.1/1.0 ==> works/app-launch with all versions of Receiver
3-Client Auth - Mandatory with TLS 1.2 ==> Only works with older receiver v3.4 but fail for latest v4.3/v4.4
4-Client Auth - Mandatory with TLS 1.0/1.1/1.2 ==> only works with older receiver v3.4 and not for latest v4.3/v4.4
Was this article helpful?
Yes
No
Powered by
