Jump to content
|
Discussions
x
Upvote if you also have this question or find it interesting.
Learn more
  • 0

SSL Error 14: None of the SSL cipher suites offered () were accepted by the server.

Asked by Kari Ruissalo

Kari Ruissalo | 73
Kari Ruissalo
Kari Ruissalo | Enthusiast | 73 | Members | 299 posts
Posted (edited)

Hi,

 

 

I'm getting the error when I try to launch an application:

Quote

Unable to connect to the server. Contact your system administrator with the following error: SSL Error 14: None of the SSL cipher suites offered () were accepted by the server.

 

 

I have built a NetScaler environment for the customer with client certificate authentication. I built a similar setup in my lab and it seems to be working just fine. The main difference seems to be that in my lab I have XenApp 7.8 (2012R2) and the customer is running XenApp 6.5 (2008R2). NetScaler is running version NS12.0 53.13 and Citrix StoreFront is 3.12.1000 (in lab and at the customer).

 

The certificates are issued by an old CA (sha-1) and are using sha1RSA signature algorithm (hash = sha1). In my lab I only have the root CA which issues the certificates but at the customer they have root ca and an intermediate certicate. As far as the certificate authentication goes, the users can log in to the NetScaler Unified Gateway but at the customer environment they're unable to launch applications.

 

As a part of the troubleshooting I have already disabled the TLS1.2 on both the Content Switching vServer as well as on the Gateway. This resolved the original issue and error we were getting.

 

We have also eliminated the following:

  • Browser version (IE11 and Firefox)
  • Citrix Receiver version (4.10.1.22)
  • CipherSuite (we're using hardened version, and tried DEFAULT)
  • Set the CA certificate CRL and OCSP Check to OCSP Optional for all CA certs
  • Removed the Callback URL from the StoreFront configuration as it doesn't seem to be required

 

Any ideas?

 

edit:

 

We have also tried the following commands to disable TLS1.1/1.2 for backend comms, but they didn't have any effect: 

set ssl parameter -montls1112disable yes
set ssl parameter -svctls1112disable yes

We also did a packet capture to see if the problem is caused by the backend communication but it seems that the communications only between Client -> NetScaler and NetScaler -> StoreFront (so there's no traffic for the STA servers in the capture)

Edited by Kari Ruissalo
additional info

Share this post

Link to post

14 answers to this question

14 Replies

Recommended Posts

x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Kari Ruissalo | 73
Kari Ruissalo
Kari Ruissalo | Enthusiast | 73 | Members | 299 posts
Posted
4 minutes ago, siddharthas said:

Issue is during App enumeration or launch ?

 

Direct access to SF and App launch works ?

 

Thanks for answering.

 

Issue is during launch. The StoreFront application view enumerates properly.

 

Direct access to SF and App launch works and the customer also has another internal GW vServer without certificate authentication and that also works.

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
siddharthas | 428
siddharthas
siddharthas | Scholar | 428 | Citrix Employees | 300 posts
Posted

For launch failure with that error, in the trace, you need to look at the SSL handshake post ica file download by the client, that is the SSL handshake between receiver and Gateway, ica will flow on that connection, based on the error you are getting and your observations from trace (nothing towards sta) seems that hanshake failed.

 

In the handshake take a look at the client hello to find the list of ciphers it is proposing and enable at least one of those proposed ciphers (ideally the  strongest one) on the CS VIP / Gateway VIP 

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Kari Ruissalo | 73
Kari Ruissalo
Kari Ruissalo | Enthusiast | 73 | Members | 299 posts
Posted

Here's the relevant part of the trace:

wireshark.thumb.png.537b6ec4c709a924e77aabd61e137b1c.png

 

.168 IP is the NetScaler CS VIP (GW is behind this one) and .169 is the client. I'm not seeing a failed handshake here?

 

It seems that it's using TLSv1.1, but now that I started thinking of this it might be that the issue is caused by TLSv1.1 (on XenApp 6.5). I'll see if using only TLSv1.0 would resolve this.

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
siddharthas | 428
siddharthas
siddharthas | Scholar | 428 | Citrix Employees | 300 posts
Posted

Actually, you are seeing a SSL handshake failure between 168 and 169. Right Click on Packet#16287 and click follow TCP stream. You will see Client closes the connection packet#17145 and Netscaler reset the connection before ssl handshake could complete Packet#17146.

 

Also, seems client cert auth is enabled, try disabling that to rule it out as a possible cause.

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Kari Ruissalo | 73
Kari Ruissalo
Kari Ruissalo | Enthusiast | 73 | Members | 299 posts
Posted
1 hour ago, siddharthas said:

Also, seems client cert auth is enabled, try disabling that to rule it out as a possible cause.

 

Yeah. I know the client certificate auth is causing the problem. I'll check if this can be resolved by using only TLSv1. 0.

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
siddharthas | 428
siddharthas
siddharthas | Scholar | 428 | Citrix Employees | 300 posts
Posted
11 hours ago, Kari Ruissalo said:

 

Yeah. I know the client certificate auth is causing the problem. I'll check if this can be resolved by using only TLSv1. 0.

 

Ok ..  so does that mean  if you disable client cert auth on NS Gateway, then app launch works every time ? and Enabling it causes the failure,

I dont see how disabling tls1.1 and forcing tls1.0 would help if the above situation, you may want to open up a support case and share the traces to investigate this behavior.

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Raman Kaushik | 820
Raman Kaushik
Raman Kaushik | Master | 820 | Members | 607 posts
Posted

Hi Kari,

 

From the description it seems that the issue is caused by using a CSP that is not compatible with TLS_1.2.

These CSP do not support the SHA256 algorithm required for TLS_1.2 Certificate Verify message.

 

"Microsoft Enhanced Cryptographic Provider" does not support the SHA256 algorithm required for TLS_1.2 Certificate Verify message.

 

You might have to reissue the client certificate, ensuring that the issuing CA uses the "Microsoft Enhanced RSA and AES Cryptographic Provider".

 

If with TLSv1.2 enabled and receiver version lower than 4.2 (i.e 3.x or maybe 4.1) this works, then definitely the issue mentioned in the articles below.

 

 ·        https://support.citrix.com/article/CTX230233

 

·        https://support.citrix.com/article/CTX213953

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Kari Ruissalo | 73
Kari Ruissalo
Kari Ruissalo | Enthusiast | 73 | Members | 299 posts
Posted
12 minutes ago, Raman Kaushik said:

Hi Kari,

 

From the description it seems that the issue is caused by using a CSP that is not compatible with TLS_1.2.

These CSP do not support the SHA256 algorithm required for TLS_1.2 Certificate Verify message.

 

"Microsoft Enhanced Cryptographic Provider" does not support the SHA256 algorithm required for TLS_1.2 Certificate Verify message.

 

You might have to reissue the client certificate, ensuring that the issuing CA uses the "Microsoft Enhanced RSA and AES Cryptographic Provider".

 

If with TLSv1.2 enabled and receiver version lower than 4.2 (i.e 3.x or maybe 4.1) this works, then definitely the issue mentioned in the articles below.

 

 ·        https://support.citrix.com/article/CTX230233

 

·        https://support.citrix.com/article/CTX213953

 

Well that doesn't explain why it works in my lab environment with similar certificates (also sha-1 and MS CA issued)?

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
TOP
×
×
  • Create New...