Important Update with Citrix Receiver for Windows 4.12: Crypto Kit Change

Citrix continues to enhance the security of its products to match the current standards. The new Citrix Receiver for Windows 4.12 contains two important changes pertaining to TLS/DTLS secure communications protocol:

  • Support for DTLS version 1.2
  • Deprecation of TLS/DTLS cipher suites which do not offer forward secrecy.

Let’s learn more about these two changes

What’s new

In the new update, all cipher suites whose names begin with TLS_RSA_ have been deprecated, as they are considered cryptographically weak. Below is the list of these deprecated ciphers:

  1. TLS_RSA_AES256_GCM_SHA384
  2. TLS_RSA_AES128_GCM_SHA256
  3. TLS_RSA_AES256_CBC_SHA256
  4. TLS_RSA_AES256_CBC_SHA
  5. TLS_RSA_AES128_CBC_SHA
  6. TLS_RSA_3DES_CBC_EDE_SHA
  7. TLS_RSA_WITH_RC4_128_MD5
  8. TLS_RSA_WITH_RC4_128_SHA

Configuration for backward compatibility: Citrix provides three flags in the group policy to configure these cipher suites, namely:

  • TLS_RSA_
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

In order to configure them,

  1. Add the Receiver GPO template if it is not added to the local GPO. Refer to the document for detailed instructions. In case of an upgrade, the existing settings are retained when the latest files are imported.
  2. In the Group Policy Editor, under the Computer Configuration node, go to Administrative Template > Citrix Component > Citrix Receiver > Network Routing > Deprecated cipher suites
  3. Use the toggle options to Enable/Disable the ciphers

This is to ensure seamless backward compatibility with older VDAs that still need these ciphers for connection. The TLS_RSA_ flag is enabled as the default setting. But, to enable the other two above mentioned cipher suites, or disable any of the above options, configure the same through the Group Policy, along with TLS_RSA_ flag checked .

This ensures that by default the deprecated Ciphers will still work, however it is not recommended to continue using them. Citrix may completely remove these deprecated ciphers in future release.

Configuring ciphersuites on the Netscaler Gateway: To prioritize the order in which cipher suites are chosen by the VDA, and if session launch failures are encountered, you should configure the cipher suites on NetScaler Gateway, to ensure appropriate, cryptographically strong cipher suites are used for communication. You can refer to the article for detailed steps regarding cipher order configuration on the NetScaler Gateway.

Note:

i) These settings will not be applicable for NetScaler 10.5.x version when the cipher suite is set to “GOV” on 7.18 VDA. Please upgrade the Netscaler gateway to higher version or change the cipher suite of VDA to “ANY”.

ii) Customers currently on the 7.6CU version of XenDesktop are advised to upgrade to a newer version, as some session launches might fail in this version with the latest receiver.

Citrix intends to offer a smooth and seamless upgrade to the latest version of receiver with minimal efforts expected from your end, while ensuring secure end-to-end communication.

Upgrade to Citrix Receiver for Windows 4.12 and let us know how it works for you!