Citrix: SHA1 and RC4

Latest news!!! SHA1 is now considered insecure! Well, only theoretically insecure for the time being (as of Jan, 2016), but very soon, the keys will be broken! We actually have had a SHA1 certificate being used by Citrix Access Gateway (version: 5.0.4 .223500, 2011-12-14). AND we were using RC4. Two issues that keep growing in importance. First problems started early 2016, when our site wouldn’t work with Chrome and kept throwing up errors in Firefox.

CitrixChromeRC4

Figured NOW is the time to act! In addition to re-key’ing your certificate, you should probably renew the certificate so you’ll be set for another few years. Also, you’ll need to change the encryption method used by Access Gateway.

  1. Log into you Access Gateway: https://yourIPaddress:admin
  2. Click on left Access Control –> Global Options
  3. Change the encryption from RC4 (which was created around 1987! YIKES!) to AES.

CitrixRC4

Why AES and not 3DES? Well, 3DES is just three iterations of DES. Yes, it’s three times better than DES (secure to at least 2112), but at the expense of running 3 transforms on the data, things can slow things down. That’s the short of it; read more of the comparisons in Stack Overflow: http://stackoverflow.com/questions/5554526/comparison-of-des-triple-des-aes-blowfish-encryption-for-data

That wasn’t too difficult wasn’t it? 🙂 I smile because this issue with Citrix Access Gateway and SHA1 has been bugging a LOT of people on the forums. Hopefully it helps! And yes, I know Access Gateway v5 has been discontinued / EOL. There’s a project in place to upgrade in parallel. The goal of ALL projects is near-ZERO downtime! AIM HIGH RIGHT?! 🙂

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s