Jump to content
Welcome to our new Citrix community!
  • 17

Citrix Workspace App GlobalSign Root CA post upgrade to Catalina Beta


Question

  • Answers 156
  • Created
  • Last Reply

Top Posters For This Question

Recommended Posts

  • 3

So to summarise the issues: 

 

  • TejusAdigaM incorrectly believes that the issue is not related to the Citrix workspace app for Mac, despite the fact that the issue is not present on the equivalent apps on iOS and Google Chrome
  • Citrix appears to have a general policy of not providing beta versions of their app in order to facilitate user testing on beta versions of operating systems, which kind of defeats the purpose of OS vendors releasing beta versions: so that developers can get their apps working in time for the official OS release 
  • The most recent update (1906, released July 8th 2019) has not been notarised by Citrix, which prevents the app from bypassing Gatekeeper checks on all versions of macOS since 10.14.5
  • The release notes on the 1906 update page aren't actually release notes for version 1906, they point to a piece of PR last updated in April 2019

 

All that aside, it's going really well. 

 

  • Like 3
Link to comment
  • 3
5 hours ago, Gregory Bastug said:

Doesn't work for me with .ica files from Morgan Stanley... same error, different trust certificate - USERTrust

 

 

Try this as Workaround, set the Cryptomodule from FIPS to Standard:

 

I have the same problem, but not yet found out what the problem is. 

 

crypto_stdpng.png

  • Like 3
Link to comment
  • 2
20 hours ago, Tejus Adiga M said:

Hi pacmanNL,

 

Citrix does not support Beta versions of macOS. However, when macOS Catalina is released, we will be having a compatible version of CWA mac that supports macOS Catalina.

 

Tejus

 

Thanks for you response but I wasn't asking for support I get the nature of Beta's but this is a discussion forum where I am free to post an issue maybe someone else has had and there is a known workaround. But it is a known issue I have and its reproducible.

 

On the other Beta iOS13 and iPadOS  versions I am not having the issue its unique to Catalina 

 

 

  • Like 2
Link to comment
  • 2
9 hours ago, Jeff Schaffer said:

I am also having this same problem. And I use my Macbook Pro to connect to my work. It is critical usage. Hospital and patient care.

So your response that we do not support beta software is pretty callous and basically blows off your clientele. If Apple has a beta version, then I am sure they expect their 3rd party's to follow suit.

 

Jschaff - if you have Chrome browser you can use the Citrix Workspace extension - it worked for me (a little laggy though)

https://chrome.google.com/webstore/detail/citrix-workspace/haiffjcadagjlijoggckpgfnoeiflnem

Hope to see a new release/beta release of Citrix Workspace soon with Catalina support.

  • Like 2
Link to comment
  • 2

Well, it's 2 months till release and no update here. Pretty disappointing.

It affects certificates that 100% comply with Apple rules. All browsers are able to verify the certificate chain and Workspace still doesn't work.

Kind of defeats the purpose of beta testing. Service providers building their solutions on top of Citrix products must have some time for testing before release and we start running out of time pretty soon.

  • Like 2
Link to comment
  • 2
58 minutes ago, Arvind SankaraSubramanian said:

We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. 

Having a beta is a great step forward, however I'm concerned that you still don't get it. Using proper security certificates is not a feature of Catalina- it works on all operating systems and there is no reason why users should be deprived of modern security simply to wait for an arbitrary release date. You should be shipping proper security as soon as you are able without regard to Apple's schedule. 

  • Like 2
Link to comment
  • 2

Right, let's flip this on its head. Here's your (Citrix's) GA feature availability matrix for Receiver / Workspace (including Mac): https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf?_ga=2.18168633.103060667.1566411595-1920900594.1564131053

 

Let me draw your attention to the section where it says: 'Mac 1906 - Supported OS version: 10.11 and above'. Now unless you want to go full legal on us and claim that under Mac you are referring to PowerPC, there's really no two ways about it: any release that comes out should support 10.11 and ABOVE. Why is it not supporting the latest? You may say you don't develop for betas, but we didn't ask you to. We simply want a version that works on X and above. Are you saying that even though you claim in your supported versions that it works, you won't future-proof your in-house developed applications? Why say above? You obviously did not test it on above, hence the thread.

 

See, that problem is that you expect paying users to be patient, but you're running an enterprise. No one has to be patient. Everyone already paid up. And what's even worse that everyone WAS actually patient. People waited months before even politely suggesting that maybe you should start work on a newer version.

 

I think that's food for thought. On a different note, however, I investigated more and I can say with almost complete certainty that it won't be the SHA1 issue. G2 signs for SHA256, so it should not be a SHA1 problem (https://knowledge.digicert.com/generalinformation/digicert-root-compatibility.html). Interestingly, DigiCert is running a test site for each of their certs, so I opened this in Safari as that's using the MacOS trust store (and not its own like Chrome) and it does show up as trusted since I've imported the G2 and the old Root CA.

 

So that confused me, as that should mean that apps should be trusting it too. However researching the error more I found this old article: https://support.citrix.com/article/CTX224709. I followed it and it does seem to be accurate for our problems. I have problems with DigiCert, others get messages from other CAs, meaning it's not the Citrix built-in trust and cert, but each organisation's NetScaler enterprise gateway in front of the Citrix cluster. The article says to compare each cert down the chain, starting from the root, going intermediary and then the actual client cert. I did that, but I can't make sense of it as it trusts them all in both Chrome and Safari, based on the imported G2, however the app is still saying I chose not to trust it.

 

To be completely blunt, I don't see how this wouldn't be the app's fault. Everything else is trusting it (like they should) and it's still popping with a trust issue. We also have the backing evidence of this still working on the previous MacOS, so it can't be that everyone's NetScaler certs suddenly became invalid simultaneously. I have a feeling though, that the NetScaler may be doing something dodgy for everyone when it comes to the handshakes and Catalina's new requirements (e.g. downgrading or using an older cipher suite), so potentially a network dump may be required. I'll come back around when I find out more.

 

Oh yeah, to answer your question:

1 hour ago, Christopher Orlandella said:

Anyone else receive the email ? 

 

Really looking to get back to working correctly and not on the chrome light version.

 

Marco.........

No, I don't think anyone got it, and I think I know why: https://docs.citrix.com/en-us/citrix-workspace-app/release-timelines.html

Target release Mac Workspace app - Aug 16-31. So nevermind the EAR, they have 10 days left to release a new GA version... I'm calling it now, the EAR form is just their attempt to stall this.

  • Like 2
Link to comment
  • 2
4 hours ago, George Culainn said:

Alright, so I think we need to steer this back to the real topic - why this particular version isn't working with Catalina. I concur on the NetScaler cert issue, but keep in mind we followed the documentation (details in my previous post) that's Citrix's old way of fixing this issue to get the certs trusted. Everything else (browsers, etc.) actually trust them too after that in Catalina. Except for CX Workspace/Receiver. The warning only comes up in the app, nothing else says it's not trusted. Then you need to compare to Mojave / Sierra, where the 1906 release is still working fine with the SAME netscaler certs. And then you also need to compare with some people's feedback in this thread that the Catalina EAR fixed the issue for them. So I think there's sufficient evidence that the issue is coming from the app code and not from the OS functionality changes. To rephrase the complaint, I'd say Citrix hard-defined trusts in the app code as nothing we do on the OS level affects how the app sees the cert (potentially hard-linking to the built-in trust store, disregarding user imported CAs). SHA1 isn't an issue from what I can see (at least not to the company I work with) as the DigiCert CA signed with SHA256.

 

I'd propose to ask a different question: why don't we have the EAR links? Why are only some people getting it when it's affecting everyone? Is it too much to ask after 3 months to get a workaround for this?

Agreed, the app-specific cert trust model has always seemed a bit odd.  However, macOS 10.14 works fine.  I don't see how some people's vitriol helps, when they have chosen to run an Apple beta.  Glad they're not looking after my production environment.  Betas are for finding issues, we've all found an issue.  BAU.  

  • Like 2
Link to comment
  • 2
1 minute ago, Nathan Shaw said:

Don’t forget whose beta this is.  Apple’s.  It is Apple’s beta that has triggered this issue.  Citrix Workspace continues to work on all my production Apple systems.  

No, Apple's beta did not trigger this issue. That's nonsense. The Citrix app has been flawed for years. Apple simply changed the failure behavior from opening in an insecure state (which you gleefully accept) to not opening which is entirely reasonable. It's Citrix's job, not Apple's, to write their own code that conforms to modern standards. If they had done so, their app would run fine in Catalina just like 99% of the software out there. 

  • Like 2
Link to comment
  • 1

From a very non technical perspective it looks like the solution would be fairly simple. Citrix needs to issue an updated Root Certificate that complies with the newest security protocols required by Mac OS Catalina. This same thing happened before and the solution was the same one.

  • Like 1
Link to comment
  • 1
On 6/20/2019 at 2:43 AM, Mark Lajer said:

 

Jschaff - if you have Chrome browser you can use the Citrix Workspace extension - it worked for me (a little laggy though)

https://chrome.google.com/webstore/detail/citrix-workspace/haiffjcadagjlijoggckpgfnoeiflnem

Hope to see a new release/beta release of Citrix Workspace soon with Catalina support.

I was able to use the web version of Workspace using Safari.

  • Like 1
Link to comment
  • 1

Hi,

 

The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. 

To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176.

 

 

  • Like 1
Link to comment
  • 1
On 10/07/2019 at 6:49 AM, Tejus Adiga M said:

Hi,

 

The certificate issue on Catalina has nothing to do with Citrix Workspace app for macOS. Citrix does not issue these certificates. 

To resolve the issue kindly ask your Administrator to get the new set of Certificates from your respective Certificate provider. These newly generated certificates must follow Apple guidelines as mentioned in https://support.apple.com/en-in/HT210176.

 

 

This is incorrect on multiple levels:

1. The issue only has to do with the workspace app, as many other apps operate fine regardless of the upgrade, it's this specific app that's affected

2. Citrix doesn't issue the certificates, but no one said they do? Citrix, however, is requesting the certificates so it's their responsibility to ensure that the CA that signs for their cert is trusted by the OS. They should regularly check whether a CA is being deprecated or expiring in MacOS.

3. Obtaining 'new set of certificates' solves nothing (disregarding the fact that the G2 Citrix is using to sign the app is superseded by the G3). Even when manually importing the G2 signing CAs, the app is still flagging them to be untrusted. Please read the issue descriptions before coming back with a proposition.

4. Why tell people what guidelines define how certs should be generated? Do you think the people reporting this issue can generate a new cert for the Citrix app? There is no control people outside Citrix have on which certs are used in the app and how.

 

In all likelihood the issue stems from Apple's choice to deprecate SHA1 (https://www.macrumors.com/2019/06/06/apple-deprecates-sha1-macos-catalina-ios-13/) and the Citrix app certs being SHA1. The app certs will need to be recreated using a SHA2 signing method *by Citrix*. Consumers have no way to fix this for Citrix.

 

The only workaround for now is to use OS-es and devices that still support TLS over SHA1 cyphers. Take a look at this to understand why: https://en.wikipedia.org/wiki/SHA-1#Attacks

 

I recommend to make the feedback constructive next time as this type of communication just makes the company appear amateurish.

  • Like 1
Link to comment
  • 1
4 hours ago, Mark Lajer said:

Status:
Citrix won't release new versions for macOS betas. They only start working on a new release once the new version is GM:69_zzz:. Which is most likely 1-2 weeks before release..

Will NOT recommend using Citrix for any of our customers in future.. :49_triumph:

You're too kind. This isn't about releasing versions for the betas, its about releasing versions for the actual release. It's not like this is some bug in the beta that we want them to work around for us that Apple might fix in a later beta. This is a conscious decision by Apple to require decent security in the Catalina release version. Why would Citrix want to postpone using modern security certificates? If they cared about security as much as they tell their customers they do they'd already be using the latest and this would never have happened. Instead, they are going to wait until Catalina ships and it starts causing problems for end users...

  • Like 1
Link to comment
  • 1

Hi Everyone, 

 

Citrix has been traditionally supporting new macOS versions with Citrix Receiver/Citrix Workspace app from day zero of macOS' general availability. We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. 

 

However, Citrix is aware of the issues and has been working actively on the recent changes in macOS Catalina with respect to new Apple Policies.

 

In this regard, Citrix is targeting an Early Access Release (EAR)(beta) that will install & function on macOS Catalina Beta for customers to verify and provide us feedback. 

 

You can sign up for EAR program at https://podio.com/webforms/15680558/1051209,

You will be added to the email list for EAR notifications.

Note: You should trust/Mark as Known Sender the following email address -  Citrix_Systems@mail.vresp.com. 

 

We will update this forum as soon as we have an update on the Early Access Release.

 

Thanks

  • Like 1
Link to comment
  • 1
On 8/12/2019 at 11:42 PM, Arvind SankaraSubramanian said:

Hi Everyone, 

 

Citrix has been traditionally supporting new macOS versions with Citrix Receiver/Citrix Workspace app from day zero of macOS' general availability. We will continue to do the same by releasing a new version Citrix Workspace app for Mac that supports macOS Catalina that will coincide with release date of macOS Catalina. 

 

However, Citrix is aware of the issues and has been working actively on the recent changes in macOS Catalina with respect to new Apple Policies.

 

In this regard, Citrix is targeting an Early Access Release (EAR)(beta) that will install & function on macOS Catalina Beta for customers to verify and provide us feedback. 

 

You can sign up for EAR program at https://podio.com/webforms/15680558/1051209,

You will be added to the email list for EAR notifications.

Note: You should trust/Mark as Known Sender the following email address -  Citrix_Systems@mail.vresp.com. 

 

We will update this forum as soon as we have an update on the Early Access Release.

 

Thanks

 

So when is this happening? I have not received any information on how to participate or activate a beta. Thanks in advance.

  • Like 1
Link to comment
  • 1
1 hour ago, Gus Galeano said:

 

So when is this happening? I have not received any information on how to participate or activate a beta. Thanks in advance.

You can sign up but I haven’t actually gotten any software. 
 

I would suggest not thanking them in advance. Doing so suggests that it can be taken for granted that they will help their customers and keep their software working. The fact that they need Apple to tell them to use the proper certificates says otherwise. 

  • Like 1
Link to comment
  • 1
6 hours ago, Sacha Thomet1709152826 said:

please be a bit patient, I can say from a very secure source that they are near to release a first working EAR for this. 

I'm not allowed to explain more. But wait is over very soon... ;-) 

Patience would be totally appropriate if this was just a bug or whatever. But the fact is, Citrix has been using obsolete, insecure certificates for years and would gleefully be doing it forever if it weren't for Apple. That's right, users have to rely on Apple to sort Citrix out because Citrix it self couldn't care less about security. That's unfortunate. And its been going on for years. So patience isn't warranted. 

  • Like 1
Link to comment
  • 1
51 minutes ago, Sacha Thomet1709152826 said:

 

This thread is about the Problem that CWA is not working on Catalina Beta. I'm not working for Citrix. I don't know why you quote my post and attack Citrix in it.
In my case, the Cert which was mentioned in the Error message that the Cert is "not trusted" was not issued or placed by Citrix. The message that the Cert is not ok was not correct, that was the Bug imho.  I don't agree that Citrix  couldn't care less about security. This forum is to help each other, and my post from yesterday should be an info that there is  light at the end of the tunnel... 

I'm happy to hear that you believe Citrix will fix this soon. That's good news. However, anyone who has the option should move away from Citrix. We want software providers who care about security enough to proactively use the latest standards. Citrix should not have been sitting around waiting for Apple to school them. They also should not be saving this fix up for when Catalina releases- it's not like we're talking about Dark Mode support or some other Catalina specific feature. Using obsolete security is a risk on all versions of macOS and should be dealt with ASAP.

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...