In this blog will discuss about troubleshooting SSL error when we try to connect from Horizon View Client to Unified Access Gateway.
What is SSL?
SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.
Hence it create a safe connection between the client and server which transmits data.
SSL/TLS works by binding the identities of entities to cryptographic key pairs.
Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate
What is SSL Certificate?
SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. It ensure that the user information sent over a website is safe and encrypted.
SSL certificates contain information about the domain of the website, the owner’s address and other relevant information.
Customize the look of your media by making it widescreen or small and easily align media inside your posts.
There can be several reason for SSL Error. Few of them are :
SSL / TLS mismatch between client and Server
Security Software or firewall might block access to a website
Time Sync between Client and Server
Having invalid or untrusted Certificates
Unsupported Key Size
Troubleshooting:
SSL encryption / decryption happen between "Application" & "Transport" layer.
The best way to troubleshoot and understand why SSL error is happening is to run Wireshark on Client machine and TCPDump on UAG.
Upon looking at the TCPDump file we found after Client and Server exchange Hello and Client Key exchange, the packet RST was noticed.
Prior to RST packet we see "Encrypted Alert" sent by Client to Server.
Encrypted Alert" is a "Close Notify" message to initialize the closure of a SSL/TLS session. This will be sent by Server. But in our case, client is sending the "Encrypted Alert" prior to server.
SSL “Alert (21) describes that decryption got failed. It is defined as: “Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct.
Resolution:
Make sure TLS Encryption is enable on the Client machine.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001