At Citrix, we want to deliver secure applications to users without compromising on User Experience, per se. With release of Receiver for Mac 12.2, there are some security enhancements to improve security, as well as the overall user experience.
These enhancements are based on inputs that we have received from our users. Security enhancements which have been undertaken in Receiver for Mac 12.2 are as follows:
- Native OS X API support for Smartcard Authentication to NetScaler
- User Interface for Security Configuration
- TLS Connection Information
Native OS X API Support for Smartcard Authentication to NetScaler
Prior to Receiver for Mac 12.2, whenever a user wanted to use smartcard authentication with NetScaler, it was necessary to install additional software called a PKCS#11 module. Also, there were cases wherein users worked in a restricted environment and were not allowed to install any additional software, including PKCS#11 modules, on their machines.
This enhancement greatly improves the usability of smartcard authentication over NetScaler by removing the necessity of installing PKCS#11 module. It does so by using built-in smartcard authentication APIs provided by OS X. So, the user doesn’t need to install any additional software to enable smartcard authentication with Netscaler (Users will still be required to install smartcard drivers so that smart card gets recognized by OS X).
If users still want, or need, to use a PKCS#11 module for smart card authentication, they can still go ahead with the way they used to do it earlier. They can install a PKCS#11 module and select it via the following path:
Citrix Receiver → Preferences → Security & Privacy → Smartcard.
However, this is no longer mandatory.
Note: We recommend that users contact their administrators regarding usage of PKCS#11 module in their environment.
User Interface for Security Configuration
In previous releases of Receiver for Mac, the command line was the preferred method to make security-related changes. This was error-prone, as users had to run commands via terminal to alter particular settings related to client-side Security Configuration. From the release of Receiver for Mac 12.2 onward, a preferences UI is available to make changes to settings related to session security. This improves the user experience while creating a seamless method for the adoption of security-related preferences.
For accessing Security Configuration settings, user needs to go to Citrix Receiver → Preferences → Security & Privacy → TLS.
There are multiple settings involved here and we will go through them one by one.
- Compliance Mode: This field is used to define the compliance mode used for TLS-based HDX connections. This field has two values: None and SP800-52. None is the default mode. SP800-52 is a restrictive mode and it will modify values for other fields.
This field was earlier used to be modified using command:
defaults write com.citrix.receiver.nomasSecurityComplianceMode SP800-52
- Crypto Module: This field is used to define the crypto modules that will be used for TLS-based HDX connections. This field has two values: Standard and FIPS. By default, FIPS is the module that is selected. This is also the more restrictive option.
This field was earlier modified using command:
defaults write com.citrix.receiver.nomasSecurityCryptoModule FIPS
- TLS Version: This field is used for defining TLS version that will be accepted during making protocol negotiation for TLS-based HDX connections. This field has 3 values:
- TLSv1.0, TLSv1.1 and TLSv1.2: Any of these TLS versions can be used while making the connection. Least restrictive of three options.
- TLSv1.1 and TLSv1.2: Either TLSv1.1 or TLSv1.2 can be used for making the connection.
- TLSv1.2: Only TLSv1.2 will be used for making the connection. Most restrictive.
This field was earlier modified using command:
defaults write com.citrix.receiver.nomas SecurityAllowedTLSVersions –array value
- Certificate Revocation List: This field improves the overall security of the TLS connections between a client and a server. This setting governs how a given trusted root certificate authority is treated during an attempt to open an HDX session through SSL when using the client for OS X.
When you enable this setting, the client checks whether or not the server’s certificate is revoked. There are several levels of certificate revocation list checking. For example, the client can be configured to check only its local certificate list, or to check the local and network certificate lists. In addition, certificate checking can be configured to allow users to log on only if all Certificate Revocation lists are verified.
Certificate Revocation List (CRL) checking is an advanced feature supported by some certificate issuers. It allows an administrator to revoke security certificates (invalidated before their expiry date) in the case of cryptographic compromise of the certificate private key, or simply an unexpected change in DNS name.
Applicable values for this setting include:
- Off: No Certificate Revocation List check is performed.
- Attempt local cache check: Certificate revocation list check is performed. Only local certificate revocation list stores are used. All distribution points are ignored. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target SSL Relay/Secure Gateway server.
- Attempt local cache and network check: Certificate Revocation List check is performed. Local Certificate Revocation List stores and all distribution points are used. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target SSL Relay/Secure Gateway server.
- Require for all certificates except root: Certificate Revocation List check is performed, excluding the root CA. Local Certificate Revocation List stores and all distribution points are used. Finding all required Certificate Revocation Lists is critical for verification.
- Require for all certificates: Certificate Revocation List check is performed, including the root CA. Local Certificate Revocation List stores and all distribution points are used. Finding all required Certificate Revocation Lists is critical for verification.
This field was earlier modified using following command
defaults write com.citrix.nomas SSLCertificateRevocationCheckPolicy FullAccessCheck
In “Certificate Revocation List”, “Attempt local cache and network cache” is used as the default value.
“Off” is least restrictive and “Require for all certificates” is most restrictive setting.
- Require TLS for All Connections:
Use this particular setting if you want to launch all Citrix Sessions over secure connection. When this setting is enabled, user can only launch connections to sessions that are secure. Any unsecure session cannot be launched.
- Restore Defaults:
There may be case where while making changes, you forget about the default value. With the changes, now you are not able to make connections to any resource. This button will come handy at that time as user can click it to get back to default settings for TLS tab.
Note: We recommend that users contact their administrators before making any changes to the TLS tab.
TLS Connection Information
When we open a URL in a web browser, it gives a sense of security when we see a lock sign in the address bar, indicating that we are using a secure connection. But what about users making connection to a Citrix resource? How can a user check whether an HDX session is running over secure protocol or not? Also, let’s consider about system administrator. Is there an easy way to check whether certificate that they have setup for a system is being used while making a connection?
TLS Connection information will answer all these questions. Citrix Receiver for Mac allows you to verify whether connections made to servers are using a specific TLS version, with additional information including the encryption algorithm used for the connection, mode, key size and whether SecureICA is enabled. In addition, you can view the server certificate for TLS connections.
To check this information, you need to do the following:
Go to Apple Menu Bar → Citrix Viewer (or Desktop Name) → About Citrix Viewer.
It will show information like this:
These 3 features will provide users with ease of configuring security settings and verifying it.