"Socket Error 10038" when connecting to Linux VDA with SSL

"Socket Error 10038" when connecting to Linux VDA with SSL

book

Article ID: CTX238472

calendar_today

Updated On:

Description

After enabling SSL in Linux VDA, Citrix Workspace app fails to connect and displays the error "Unable to connect to the server. Contact your system administrator with the following error: Socket operation on non-socket (Socket Error 10038)"

Unable to connect to the server. Contact your system administrator with the following error: Socket operation on non-socket (Socket Error 10038)

There is an entry in hdx.log: 

2018-09-26 16:16:54.240 <P30103> citrix-ctxhdx: TdCgpRead: Received an unknown packet on Port 443
2018-09-26 16:16:54.240 <P30103> citrix-ctxhdx: TdCgpRead: 0x16  0x03  0x01  0x00
2018-09-26 16:16:54.240 <P30103> citrix-ctxhdx: TdCgpRead: Bad State!! IcaState is 671, pTd is (nil)
2018-09-26 16:16:54.240 <P30103> citrix-ctxhdx: TdHandshakeThread: Handshake failed: CONNECTION_ABORTED, td state: 671

Resolution

Ensure that the server certificate provided to enable_vdassl.sh contains:
  • The Server Certificate
  • The Unencrypted Private Key
  • The Intermediate Certificates (if applicable)
For example: 
# cat /etc/xdl/.sslkeystore/certs/server-certificate.pem
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgITagAAAC/tYAov1PR7pwABAAAALzANBgkqhkiG9w0BAQsF
…
aC5qLjOGOe0iwqJgn4FTRvnIF59YKPa9
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBZarRkNJodsHU
…
GrYPz8Z8OU5FN58vEny9a6XF
-----END PRIVATE KEY-----

Problem Cause

There can be a number of causes of this issue, some of which are:

1. Encrypted Private Key

The server certificate contains an encrypted private key:
/etc/xdl/.sslkeystore/certs/server-certificate.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIj6gr8yDIglQCAggA
…
lak=
-----END ENCRYPTED PRIVATE KEY-----
…

This will result in the additional dialogue from Desktop Viewer 'The connection to "Delivery Group Name" failed with status (Unknown client error 0).':
Unknown client error 0

2. No Private Key

The server certificate contains no private key.

This will result in the additional dialogue from Desktop Viewer 'The connection to "Delivery Group Name" failed with status (Unknown client error 1110).':
The connection to "Delivery Group Name" failed with status (Unknown client error 1110).
When enable_vdassl.sh was run there would have been an error message included in the output:
Verifying the specified certificate /etc/xdl/.sslkeystore/certs/server-certificate.pem...
unable to load Private Key
140270488938384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
Powered by Wolken Software