Failed to connect to the server because of an SSL error : 1000004. SSL Error 47: The server sent an SSL alert: sslv3 alert handshake failure

Table of Contents

Case #

When trying to launch a Citrix Virtual Apps and Desktops resource via Citrix Gateway, you encounter the following error message: Failed to connect to the server because of an SSL error : 1000004. SSL Error 47: The server sent an SSL alert: sslv3 alert handshake failure (alert number unavailable).

Error message 47 refers to issues related to the TLS cipher suite handshake process. If your TLS certificate’s public key is encrypted by a cipher suite which is not supported by the Citrix Workspace App or the Citrix Virtual Apps and Desktops servers, you will receive this error message. The error message can be triggered if you change the TLS certificate on your Netscaler (Citrix Gateway) and the new certificate does not apply RSA cipher suites and instead uses ECC (elliptic curve cryptography) cipher suites. ECC is considered far more secure than RSA-based suites, since it is quantum computing decryption proof, as opposed to weaker RSA.

Solution #

A similar Citrix Support cases (https://discussions.citrix.com/topic/403171-ssl-error-47-sslv3-alert-handshake-failure-with-upgrade-to-1904/ and https://discussions.citrix.com/topic/402017-citrix-workspace-error-47/) indicate limited support for TLS cipher suites from the Citrix Workspace App client side. As per the following Citrix support article: https://support.citrix.com/article/CTX250104/overview-of-the-crypto-kit-updates-in-citrix-workspace-for-windows-and-mac, Citrix has deprecated weak cryptography across the board.  If the configurations on the backend is not updated to support one of the 3 supported strong cipher suites, you will not be able to connect. At least one of these is required:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

The resolution shall be to make use of one of the above cipher suites in your TLS certificate in the Citrix Gateway. Citrix should consider upgrading their support for ECC suites besides RSA. Same stands for Citrix Virtual Apps and Desktops servers, as described at: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html.

You should also check the Netscaler Gateway SSL profiles under menu System –> Profiles –> SSL profiles and check the frontend and backend profiles which are linked to your Citrix Gateway vpn vservers. The allowed TLS protocols list and cipher suites must match the current Citrix-supported protocols and suites.

Powered by BetterDocs