信息
Overview of the Crypto Kit updates in Citrix Receiver 4.12 and above
- Receiver for Windows 4.12 and later provide support toDTLS v1.2for connections to the VDA.
- The latest Crypto Kit has deprecated all TLS_RSA_* cipher suites. But, to support backward compatibility with older versions of VDA (before ver.7.18), we provide an option in the GPO toenable/disablethese cipher suites. We give the following toggle options on the GPO:
- Enable/Disable all (flag 1)TLS_RSA_密码的西装es (Totally 8 cipher suites)
- Enable/Disable (flag 2)TLS_RSA_WITH_RC4_128_MD5密码的西装e
- Enable/Disable (flag 3)TLS_RSA_WITH_RC4_128_SHA密码的西装e
Note that these areenabled by defaulton the GPO in Receiver for Windows (4.12).
Steps to Disable/Re-Enable Deprecated Ciphers
- Add the Receiver GPO template if it is not added to the local GPO. Refer to theProduct Documentationfor detailed instructions. In case of an upgrade, the existing settings are retained when the latest files are imported.
- Open the Citrix Receiver GPO administrative template by running gpedit.msc
- Under the Computer Configuration node, go toAdministrative Template > Citrix Component > Citrix Receiver > Network Routing > Deprecated Cipher Suites
- Use the toggle options to Enable/Disable the ciphers
- Enabling TLS_RSA_ flag (flag 1) alone enables 6 cipher suites.
- Although RC4-128-MD5 (flag 2) and RC4-128-SHA (flag 3) are subsets of TLS_RSA_, additional flags are given for the two ciphers.
- 这意味着,如果它是intended to enableRC4-128-MD5密码的西装e, bothflags 1 and 2should be enabled. Similarly, to enableRC4-128-SHA密码的西装e, bothflags 1 and 3should be enabled.
- To enable or disable DTLS, you can configure the HDX Adaptive Transport policy on the DDC. For more information, you can referhttps://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/adaptive-transport.html
Please find below the cipher matrix for a deeper understanding of the ciphers supported by the latest SSL SDK.
| Ciphersuite (in order of priority) | Native Crypto Kit mode and cipher set | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| OPEN | FIPS | SP800-52 | |||||||||
| OPEN ALL | OPEN COM | OPEN GOV | FIPS ALL | FIPS COM | FIPS GOV | SP800-52 ALL | SP800-52 COM | SP800-52 GOV | TLS 1.2 PRF uses | TLS 1.2 "Finished" uses | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3841) | X | X | X | X | X | X | SHA384 | SHA384 | |||
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3841) | X | X | X | X | X | X | SHA384 | SHA384 | |||
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | X | X | X | X | X | X | SHA256 | SHA1 | |||
| TLS_RSA_WITH_AES_256_GCM_SHA3841)2) | Δ | SHA384 | SHA384 | ||||||||
| TLS_RSA_WITH_AES_128_GCM_SHA2561)2) | Δ | Δ | SHA256 | SHA256 | |||||||
| TLS_RSA_WITH_AES_256_CBC_SHA2561)2) | Δ | SHA256 | SHA1 | ||||||||
| TLS_RSA_WITH_AES_256_CBC_SHA2) | Δ | SHA256 | SHA1 | ||||||||
| TLS_RSA_WITH_AES_128_CBC_SHA2) | Δ | Δ | SHA256 | SHA1 | |||||||
| TLS_RSA_WITH_RC4_128_SHA2)3) | Δ | Δ | SHA256 | SHA1 | |||||||
| TLS_RSA_WITH_RC4_128_MD52)3) | Δ | Δ | SHA256 | SHA1 | |||||||
| TLS_RSA_WITH_3DES_EDE_CBC_SHA2) | Δ | SHA256 | SHA1 | ||||||||
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV* | X | X | X | X | X | X | X | X | X | - | - |
Note:
SP800-52 mode always implies FIPS crypto.
1)需要TLS1.2 / DTLS1.2密码套件
2) Ciphersuite disabled by default.Must be enabled withfeatureCtrl()API
3) Ciphersuite not available for DTLS protocol
* SCSV is a renagotiation indication ciphersuite per RFC5746
Δ Ciphersuite is being phased-out
SP800-52 mode always implies FIPS crypto.
1)需要TLS1.2 / DTLS1.2密码套件
2) Ciphersuite disabled by default.Must be enabled withfeatureCtrl()API
3) Ciphersuite not available for DTLS protocol
* SCSV is a renagotiation indication ciphersuite per RFC5746
Δ Ciphersuite is being phased-out
Expected failure scenarios and corner cases
In the case you disable deprecated cipher suites, make sure to avoid the following failure scenarios:- TCP
- OPEN mode:Session launch not supported when Client configures cipher set to GOV and VDA has cipher set configured to COM (due to lack of common cipher suite).
- FIPS/NIST(SP800-52) compliance mode:Session launch is not supported in the scenarios when Cipher set is configured as COM on the server with any of the cipher sets(COM/GOV/ANY) on the client and vice-versa due to lack of common cipher suites.
- DTLS v1.0supports5of the cipher suites andDTLS v1.2 supports 10of the cipher suites.
DTLS v1.0 DTLS v1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- DTLSdoes not support FIPS/NISTcompliance modes.
- DTLS v1.2is supported by OSs Win10(1607 or higher) AND Win2k16 VDAs. Please refer article https://support.citrix.com/article/CTX230010
- DTLS v1.2 isnot supported yet by NSG. Hence, this scenario can only be tested with DTLS v1.0.
1)Matrix for internal network connections (without NSG in picture)
Note:
NS– Functionality is not supported by the latest Cypto Kit
NA– Not Applicable
2)Matrix for external network connections (with NSG in picture)NS– Functionality is not supported by the latest Cypto Kit
NA– Not Applicable
