Storefront unable to communicate with Delivery controllers over HTTPS.

book

Article ID: CTX338545

calendar_today

Updated On:

Description

SSL Error on Storefront Event Logs:

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

Since SF Server was on 2012 and we only use ECDHE cipher suites with 1912 deployment, adjusted the polices on SF server to put ECDHE cipher suites on top

Order set in the policy on SF and DDC:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Post setting ECDHE cipher spec, we saw the SSL handshake failure certificate error for cipher spec as it could not be selected.

Checked the ECDHE and ECC cipher details with RFCs and found that ECDSA and ECDHE algorithms with ECC curves make use of Digital signature Algorithm and thus “Digital Signature” should be present as key usage in the certificate used on DDC.

Reference:
https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
which extends to https://www.rfc-editor.org/rfc/rfc5480#section-3

Problem Cause

Incorrect Cipher spec on Storefront and incorrect key usage parameters on certificate used by DDC.

Additional Information

https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
https://www.rfc-editor.org/rfc/rfc5480#section-3

https://www.rfc-editor.org/rfc/rfc5480#section-3

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"