michaelcolson.com » ssl

SSL Error 47 with Citrix Password Manager

michael — Wed, 03 Mar 2010 18:58:48 +0000

SSL Certificates play a big role in a Citrix Password Manager deployment. They help to ensure the password data in the central store is genuine and they also allow for encrypted communications between the Password Manager service and the Password Manager agent. There are lots of things that can go wrong with certificates that will stall your Password Manager deployment.

I recenty ran across this little gem:

[error] SSL Library Error 47 on pm.domain.com:443 with peer 10.20.30.40: An unclassified SSL network error occurred. (error code: error:1408A0C1:lib(20):func(138):reason(193)) [warn] SSL handshake from client failed

Well… now isn’t that just so helpful. After verifying and re-verifying my certificate setup I wasn’t getting anywhere. I ended up opening the httpd.conf file that the Citrix XTE service depends on and noticed a line near the bottom:

#Allowed CipherSuite (ALL,COM,GOV) SSLCipherSuite GOV

I didn’t go to the trouble to lookup what ‘exactly’ this means but I theorized that I don’t really want to limit what kind of SSL cipher I can use so why not change it to read:

SSLCipherSuite ALL

After making that simple, three letter change, I was now able to hit the Citrix Password Manager service URL from a web browser and I saw the SSL Error 47 messages in my error.log dissappear.

Hopefully this will save someone else the hours of troubleshooting that I spent on this one.

Autodiscover Service with Wildcard Certificate

michael — Wed, 17 Oct 2007 20:52:30 +0000

This change was required on the Exchange 2007 Client Access Server (CAS) in order for clients to accept the wildcard certificate that through the Autodiscover Service (AS) for Outlook Anywhere.

Command:
Set-OutlookProvider expr -CertPrincipalName:"msstd:*.domain.com"

Verification:
Get-OutlookProvider |fl
Look for the property EXPR called CertPrincipalName

SSL Certificates on Windows Mobile

michael — Wed, 12 Jul 2006 18:54:47 +0000

Dealing with certificates on a Windows Mobile device can be somewhat of an adventure. For starters, no version of Windows Mobile supports wildcard certificates.

If you are using one of the cheaper and often times less trusted CA’s like a RapidSSL then chances are, you will need to add the Intermediate CA to the Windows Mobile device to get the SSL certificate to work. I have personally had more success in deploying the CA certificate through a CAB file. There are some excellent directions on how to package a certificate in a CAB over at the amset.info site: http://www.amset.info/pocketpc/certificates3.asp.