Issue metadata
Sign in to add a comment
|
TLS negotiation not working with Citrix Secure Access Gateway (SAG)
Reported by
patience...@gmail.com,
Feb 18 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 9280.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3007.0 Safari/537.36 Platform: Toshiba Chromebook 2 Example URL: https://apps.mednax.net Steps to reproduce the problem: 1.Since Chrome release 56+, Citrix Receiver (versions 2.1 - 2.3) has failed to connect to the gateway with "server connection failed" errors in both kiosk and ICA modes. Current report is "Citrix cannot connect to the server CERT_WEAK_SIGNATURE_ALGORITHM (-208)" 2. Connection error log attached. 3. ssllabs.com shows that this SAG still implements TLS 1.0 (see attached) - I'm not in a position to insist this be updated, but it's a common situation across many institutions using Citrix. What is the expected behavior? Standard secure negotiation followed by connection and launch of Citrix applications. What went wrong? See attached. While I understand why TLS 1.0 is deprecated, fallback functionality needs to be added for Chromium to remain a usable platform. Did this work before? Yes Chromium 55 Chrome version: 58.0.3007.0 Channel: dev OS Version: 9280.0.0 Flash Version: Shockwave Flash 24.0 r0 Thank you for your time and consideration.
,
Feb 21 2017
I'm not reproducing this, but if you're seeing CERT_WEAK_SIGNATURE_ALGORITHM, that's probably the SHA-1 deprecation, not TLS 1.0. (Though TLS 1.0 is also obsolete and the device should be updated.) https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html Could you provide a net-internals per these instructions? https://dev.chromium.org/for-testers/providing-network-details
,
Feb 22 2017
Net-internals file created during initiation of the Citrix application launch is attached. On further investigation with the Citrix admins, this issue appears to be related to the Netscaler version, which is pending upgrade. However, others have reported increased incidence of the CERT_WEAK_SIGNATURE_ALGORITHM issue, and there does need to be a workaround. Is it possible to create per-site trusts in Chromium?
,
Feb 22 2017
You may not that a number of extensions are enabled during this test; however, I can confirm that disabling all extensions except Citrix Receiver also reproduces the problem. Rollback to previous versions of Receiver is also ineffective in resolving the connection error.
,
Feb 22 2017
The net-internals wasn't attached. Could you double check? Note attaching in email for replying to bugs isn't sufficient, you'll need to access the bugs.chromium.org page (at the bottom of this mail) Also, for SHA-1, if it's an enterprise-trusted root, https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html - but whether or not that relates is dependent on the net-internals
,
Mar 1 2017
Thank you for providing feedback. removing "Needs-Feedback" label.
,
Mar 2 2018
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by juliatut...@chromium.org
, Feb 21 2017