Categories
Admin Linux Security

Citrix problems with SHA2 certificates SSL error 61

Intro
Basically all certificates issued these days use the SHA2 signing algorithm whereas a year ago or for some CAs just a few months ago this was not the case and the SHA1 signing algorithm was being used. This change causes some compatibility problems.

The details
It can be a little hard to test a new certificate with Citrix Secure Gateway. If you try it and pray, you may well find that a majority of Citrix clients can connect your Secure Gateway but some cannot. They may even see SSL error 61.

So if you dutifully go to this Citrix support page, TID 101990, you read a very convincing description of the problem and why it happens. The only thing is, it is probably totally wrong for your case! Because in it they argue that your certificate is faulty and go back to your CA and get a good one! Ridiculous! I’ve dealt with lots of CAs and gotten lots of certificates. Never had a faulty one like that.

So what’s the real explanation? I think it is that their own Citrix client is out-of-date on the PC where it isn’t working and doesn’t support SHA2! This is still an unfolding story so that involves a little speculation. Upgrade the Citrix Receiver client and try again.

But of course you need to do your basic homework and make sure the basic stuff is in order. Use openssl to fetch your certificate and certificate chain and have a look at them to make sure you’ve really set it up right. A beginner’s mistake is to forget to include the intermediate CERT. Perhaps that could cause the SSL error 61 as well. And of course you need a certificate issued by a legitimate CA. A self-signed certificate will probably definitely give you an SSL error 61.

Given time I’ll show how to check if your certificate – or any other reference certificate you want to compare it to- uses SHA1 or SHA2.

To be updated if I get more conclusive information…

Conclusion
Citrix is giving out misleading or wrong advice about SSL error 61.

References and related articles
This site seems to confirm the widespread problem with many Citrix clients and SHA2 certificates.
http://www.p2vme.com/2014/02/sha2-certificates-and-citrix-receiver.html
This site talks about the dangers of SHA1 certificates and what Microsoft is doing about it.

3 replies on “Citrix problems with SHA2 certificates SSL error 61”

HELP! I hope you are still reading this but I have a similiar issue. Installed a new Godaddy Cert SHA2 and now when clients connect to the web interface the SSL works fine logs them in but any application clicked shows the SSL 61- you have chosen to not trust GOdaddy yada yada message.

I understand I can download the cert to my machine and install it, but we have 30 users and we shouldnt have to manually install the new SSL on each machine to get connected. How can we do this through the Citrix Server itself? I have already installed the cert and the intermediate cert on the citrix server as well.

As far as I understand the situation now newer versions of Citrix Receiver client support SHA2, older ones don’t and you can install certificates on the client PCs until you’re blue in the face but it won’t due a lick of good. Nor is Citrix going to do anything about this problem.

Leave a Reply to Glenn Cancel reply

Your email address will not be published. Required fields are marked *