One of our key areas of focus at Citrix is security, and part of that is making sure that our products comply with security standards and recommended practices as they evolve. That includes cipher suite support.
Back in June 2018, we deprecated all TLS_RSA_* cipher suites in Receiver 4.12. We provided the option to continue to use those cipher suites for backward compatibility, but we finally removed them entirely in Citrix Workspace app 1904, leaving support only for the following ECDHE cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS/DTLS 1.2)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (TLS/DTLS 1.2)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (TLS/DTLS 1.0+)
With Citrix Virtual Apps and Desktops 7 1909, we have removed support for TLS_RSA_* cipher suites on the VDA to align our client and server components. The VDA now only supports the same three cipher suites listed above with elliptic curves P-384 and P-256.
As you plan your upgrade to Citrix Virtual Apps and Desktops 1909+ and/or Citrix Workspace app 1904+, make sure to consider the following:
- If you use encryption on the VDA, make sure the Windows Cipher Suite settings are set properly as outlined here. Look at the information provided right after “step 9,” under “Manually configure TLS on a VDA”.
- If you use Citrix Gateway:
- Make sure the Citrix ADC firmware version you are running supports the cipher suites in question for front-end and back-end connections. Note that the back-end connection support is only a concern if you have encryption enabled on the VDA for end-to-end encryption. Also note that cipher suite support in each firmware version may vary depending on whether you are using an MPX or VPX appliance. ADC documentation provides details on TLS cipher suite support and DTLS cipher suite support.
- Make sure your Gateway virtual server is configured to use the appropriate cipher suites.
If you have any questions, comments, or concerns, please let me know in the comments below.
Until next time,
Migs
Senior Product Manager – HDX
