Configure deprecated cipher suites

With the release Version 4.12, there are two important changes to the TLS/DTLS secure communications protocols; support for DTLS Version 1.2, and deprecation of TLS/DTLS cipher suites, which do not offer forward secrecy.

DTLS version 1.2 supports the UDP transport protocol, providing the equivalent of TLS version 1.2 for the TCP transport protocol. Previous versions of Citrix Workspace app for Windows already supported TLS version 1.2.

Cipher suites with the prefix TLS_RSA_ do not offer forward secrecy. These cipher suites are now generally deprecated by the industry. However, to support backward compatibility with older versions of Citrix Virtual Apps and Desktops, Citrix Workspace app for Windows can utilize these cipher suites.

A new Group Policy Object Administrative template has been created to allow usage of the deprecated cipher suites. In Citrix Receiver for Windows Version 4.12, this policy is enabled by default, but does not enforce deprecation of these cipher suites using the AES or 3DES algorithms by default. However, you can modify and use this policy to enforce the deprecation more strictly.

Following is the list of deprecated cipher suites:

  1. TLS_RSA_AES256_GCM_SHA384
  2. TLS_RSA_AES128_GCM_SHA256
  3. TLS_RSA_AES256_CBC_SHA256
  4. TLS_RSA_AES256_CBC_SHA
  5. TLS_RSA_AES128_CBC_SHA
  6. TLS_RSA_3DES_CBC_EDE_SHA
  7. TLS_RSA_WITH_RC4_128_MD5
  8. TLS_RSA_WITH_RC4_128_SHA

Note

The final two cipher suites use the RC4 algorithm, which is deprecated because these cipher suites are not secure. You might also consider the TLS_RSA_3DES_CBC_EDE_SHA cipher suite to be deprecated. You can use this policy to enforce all these deprecations.

For information about configuring DTLS v1.2, see Adaptive transport in Citrix Virtual Apps and Desktops documentation.

Note

When you upgrade or install Citrix Workspace app for Windows for the first time, add the latest template files to the local GPO. For more information about adding template files to the local GPO, see Configuring the Group Policy Object administrative template. In case of an upgrade, the existing settings are retained when the latest files are imported.

  1. Open the Citrix Workspace app GPO administrative template by running gpedit.msc
  2. Under the Computer Configuration node, go to Administrative Template > Citrix Component > Citrix Workspace > Network Routing.
  3. Select the Deprecated cipher suites policy.
  4. Select Enabled and choose from the following options:
    1. TLS_RSA_*: By default, TLS_RSA_* is selected. This option must be selected for you to use the other two cipher suites. The following ciphers suites are included when you select this option:
      1. TLS_RSA_AES256_GCM_SHA384
      2. TLS_RSA_AES128_GCM_SHA256
      3. TLS_RSA_AES256_CBC_SHA256
      4. TLS_RSA_AES256_CBC_SHA
      5. TLS_RSA_AES128_CBC_SHA
      6. TLS_RSA_3DES_CBC_EDE_SHA
    2. TLS_RSA_WITH_RC4_128_MD5 : Select this option to use the RC4-MD5 cipher suite.
    3. TLS_RSA_WITH_RC4_128_SHA: Select this option to use the RC4_128_SHA cipher suite.
  5. Click Apply and OK.
  6. Run gpupdate /force for the changes to take effect.

The following table lists the cipher suites in each set:

localized image

Configure deprecated cipher suites

In this article