Mac Users getting 'The remote SSL peer sent a handshake failure alert' on Citrix Access Gateway following SSL Cert renewal

Hi all

Yesterday, clients SSL Cert on their Citrix Access Gateway 2010 (physical) expired. They already had renewed the cert (Network Solutions LLC) had been installed and was valid from the 5th October. Yesterday, in the evening they cut over to the new cert:
Most users have managed to log in fine. Some Windows users received the error:
Cannot connect to the Citrix XenApp server.SSL Error 61: You have not chosen to trust  "Network Solutions DV Server CA 2" The issuer of the server's security certificate.
. That was resolved installing the latest version of the Citrix Receiver.

I have one Mac user (Using OSX 10.10.3 - Yosemite), who had the same
Cannot connect to the Citrix XenApp server.SSL Error 61: You have not chosen to trust  "Network Solutions DV Server CA 2" The issuer of the server's security certificate.
so upgraded to the latest version of Citrix Receiver for Mac but now is getting this error:
1.JPGI found a suggestion that talked about the level of encryption on the CAG being set to AES and that setting it to RC4 was the resolution to this new error but the Encryption is already set to RC4.

Any ideas here folks?

LVL 13
Mark GalvinManaging Director / Principal ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony JohncockLead Technical ArchitectCommented:
Can you enable logging on the receiver and post the details here?

Instructions on enabling logging is here.
Tony JohncockLead Technical ArchitectCommented:
I also found one reference that suggested SSLv3 might be configured on the CAG as opposed to TLS.

Source here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian MurphyIT ArchitectCommented:
MAC and some Windows clients you must export the key or take your completed CSR request which is .CER and export with private key to .PFX File.

Those must be imported on the machines.

If the certificate chain is unknown, it requires you obtain the Intermediate and root CA certificate chain from the vendor that supplied the certificate and import those into the local machine store - Trusted Intermediate, and Trusted Root CA's.

On the MAC, if not mistaken you must place the CA, FQDN.CER, and Private.key in a local directory
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi Brian

The SSL Crt is in CRT format. How can i add that to a windows PC and then ex[port to PFX?

I have download the four CRT files that came from Network Solutions and installed all four on the MAC. Still gives error.
Tony JohncockLead Technical ArchitectCommented:
...and my responses? Not sure why you've completely ignored me.

Log files will help as we will be able to determine the _exact_ error.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:

2015-10-08 14:57:53.073 ThreadID:       1       +Gen_Utilities::GetClientName()
2015-10-08 14:57:53.074 ThreadID:       1       -Gen_Utilities::GetClientName(MacMini)
2015-10-08 14:57:53.189 ThreadID:       1       +Gen_Utilities::GetClientName()
2015-10-08 14:57:53.189 ThreadID:       1       -Gen_Utilities::GetClientName(MacMini)
I enabled the Authentication Manager Logs but the log file did not create.

I have logged a support ticket with Citrix.

Brian MurphyIT ArchitectCommented:
CRT Format is correct for MAC.  CRT format is used by Apache, other non-Windows.

CRT does not have the private key but you should not need it.

Network Solutions does not give you an option to download as .CER or x509 Format?

Chose X509 and copy that long hash to a text file on Windows and rename the .TXT to CER

I know it sounds too easy but it really is that easy.
Brian MurphyIT ArchitectCommented:
So on Windows, you change the extension to .CER.  

Now, it is contingent on your browser.

Firefox and Google do not use Microsoft Crypto API.  Only Internet Explorer.

And if you use "Auto" for import process it will end up in user store not machine store.

If you open certmgr.msc it opens in User Context.

You have to open MMC.exe (Start - Run - MMC.exe)

Add Snapin
Add Certificates
Local Machine
Left Pane - Expand Personal
Certificates (under Personal)
Right click and choose "Import...."
This is where you import the x509 (CER) FQDN certificate

Left Pane - Intermediate Certificate Authorities
Right click and choose "Import...."
This is where you import the x509 (CER) Intermediate CA

Left Pane - Trusted Root Authorities
Right click and choose "Import...."
This is where you import the x509 (CER) Trusted Root Authorities

If using Firefox, same methodology using Options
Same for Chrome

In IE, after import, Internet Options, Clear SSL Cache

That will take care of Windows

Not sure what you mean by "Install" on MAC

Has been some time since I used MAC but they way it worked was documented in the ICA Client documentation was to have the CRT files in a specific directory.  Flat files.
Tony JohncockLead Technical ArchitectCommented:
Think you've missed a trick here? The OP has problems only with the Mac version of the Receiver?

Just thinking about the error - historically, error 61 was an untrusted certificate.

Since this is a new cert - are the root and intermediate certificates installed onto OSX?
Tony JohncockLead Technical ArchitectCommented:
It would appear that the root and intermediates are available here, but thanks to how our websense is configured on this site I am unable to go further into their site to verify
Brian MurphyIT ArchitectCommented:
Yea, as I read back over it appears to be MAC only.

I'm not sure what install refers to.  Last time I used MAC it required the flat files in a directory and a .ini file from Citrix Client pointed to those files or directory.

Long time ago.....
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:

The error
Cannot connect to the Citrix XenApp server.SSL Error 61: You have not chosen to trust  "Network Solutions DV Server CA 2" The issuer of the server's security certificate.
is from a Windows user. I am coming into this from a external point of view and the client's IT Department hadn't give me the facts.

The Mac user (and I have tested on my Mac rig) is getting the SSL Handshake error.

I installed the root and intermediate certificates that came with the renewed CRT Cert. I had added them into the Mac keychain but that hasnt helped.

I have download the files from here as Tony suggested and will let you know results.

Also here is a snippet from my Mac log file:
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c | 1711 |      SSLconnect |    TC_TD |    TT_ERROR | int SSLconnect(SOCKET, const struct sockaddr_storage *, int): Negotiation failed. sslretcode: 47
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  741 |  handleSSLError |    TC_TD |    TT_ERROR | WSAGetLastError: 1000047
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  742 |  handleSSLError |    TC_TD |    TT_ERROR | SSLSDK error: The server sent an SSL alert: sslv3 alert handshake failure (alert number )
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  749 |  handleSSLError |    TC_TD |    TT_ERROR | Start SSLSDK error parameter dump
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  755 |  handleSSLError |    TC_TD |    TT_ERROR |       SSLSDK error parameter 1: sslv3 alert handshake failure
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  755 |  handleSSLError |    TC_TD |    TT_ERROR |       SSLSDK error parameter 1:
| 10-08-2015 | 19:58:04.704 | 1167 | 1 |      sslasock.c |  758 |  handleSSLError |    TC_TD |    TT_ERROR | End SSLSDK error parameter dump
| 10-08-2015 | 19:58:04.705 | 1167 | 1 |     sslconfig.m |  524 |  createSSLError |    TC_TD |     TT_API1 | Proxy/SSL Error: E_SSLSDK_ALERT_HANDSHAKE_FAILED

Brian MurphyIT ArchitectCommented:
Ah, well one thing I notice here in that log is SSL 3.  Starting back a year or so ago, I started disabling SSL 2 and 3 on servers and clients.  I removed all RC 2 and RC 4 and NULL streaming ciphers.  Dropped support for SHA-1 and so forth.

Any new Citrix Client, to my knowledge, will NOT support any SSL protocol (None).  It is all TLS now.  TLS 1.2 preferred.  In FIPS-land I can get away with TLS 1.0 if I create a RSA F4 privacy key on my FIPS-2 compliant Netscalers (12 of them).  On my gateways SSL 1, 2, and 3 are disabled.  TLS only.  I have 12 - FIPS-2 physical Netscalers.  I disabled SSL protocol back a year ago.

Obviously being able to validate the certificate chain is required but I'm wondering now if you need to adjust your negotiation protocol on your side.  The MAC that is.

As for Windows, those prior instructions should work for you.

When I see SSL 3 negotiation errors the first thought is "client" or "server" or "both".
Tony JohncockLead Technical ArchitectCommented:
Yup. I did say there were references to this above. I even provided a Citrix link with a reference to it.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi both

I have been working with Citrix on this. Their initial answer was that the CAG was end of life. Which the client (and I) knew. The client running a project (early stages) where they will replace the CAG with a NetScaler.

We have tried adding the Root and Intermediate into the CAG Chain. Didn't help.
We have tried adding the Root and Intermediate onto the Mac client. Didn't help.

I have asked Citrix if its possible to reconfigure the CAG with TLS instead of SSLv3:
I have seen some online posts suggest that this error is due to SSLv3 not being supported and that changing to TLS1.0 will work. How can I do this with the CAG/WI?
and their response was:
That what is the question here vpx has the option. I doubt if that is on CAG

I have asked them, if replacing the CAG with Citrix Secure Gateway, while the project for the NetScaler is being run will help and they are looking into this.

Mark GalvinManaging Director / Principal ConsultantAuthor Commented:

Citrix's final resonse was
No you need to move to netscaler VPX and leverage that and it should work on VPX. Can you build a test VPX and check

So client has taken the decisions to provide the Mac users with Windows Laptops until they replace their CAG with a NetScaler VPX. They have put the order for the VPX through and so by end of November their CAG will be out of the system and using up to date VPX.

I will look back through the comments and split the points between you both.

Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Looks like the fix would be to stop using SSLv3 and start using TLS. As I cannot change the Citrix Access Gateway in this way, client will be moving to NetScaler VPX.

Thanks for you help with this one guys!
Tony JohncockLead Technical ArchitectCommented:
Glad you managed to track down a definitive answer. Hope the vpx install goes well and thank you for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.