Wednesday, March 18, 2015

Citrix and SHA2

SHA2 and why do I care?

Time to update those statements of support for your users and customers.  With the move to the more secure certificate algorithm SHA2, things are breaking all over the place.  First off, Microsoft and the Cert powers that be have declared that Certs that expire on or after 1/1/17 must be SHA2.  So if you are picking up a new cert with a 2 year life it will be SHA2.  What does that mean to me, you ask?

Web Interface:

I know you've been putting off that Storefront migration, but it is time to get it on the books.  You can buy some time if you offload SSL (and your cert) to your Netscaler or other load balancer of choice.

Secure Gateway

It's time to put your SG out of it's misery.  Netscaler VPX is your go-to replacement.

11.x and older Citrix Client

If it connects via SSL you need to upgrade.  If you are at Vista + for your OS, download and install the latest Citrix client.  If you have an older OS, first, shame on you.  Second, the last of the 12.x clients is what you want.  Modern clients are not tested on XP and can be rather inconsistent.

If you are a thin client shop and you protect your connections via SSL, it's time to update that firmware if you can.  I haven't found a lot of vendor "statement of support" type documents, but if you Linux or Windows TCs have a modern (Vista+ OS) and a receiver in the 12.x land, you should be ok.  The various vendors with "ThinOS" products will need to either declare support or issue an updated firmware.

Other Gotchas

Citrix will tell you that you can get a cert today with the old SHA1 and run with your legacy stuff a while longer, which is true but with a massive caveat.  For the older clients to work your entire certificate chain must be SHA1.  If your cert and the root cert are SHA1 and an intermediate cert is SHA2, you are not going to work.  I have seen this and it is not pretty.  The name of the Cert listed in the error will be the first cert in your chain that is SHA2.

Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix Xenapp server. SSL Error 61: You have chosen not to trust "<CERTNAME>", the issue of this server's security certificate.

Error Text:
Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix Xenapp server. SSL Error 61: You have chosen not to trust "<CERTNAME>", the issue of this server's security certificate.

Happy Certing..