I came across this issue with a Dell Wyse thin client on a project recently. the thin clients in use covered several different models but they all had the same issue and the majority were using an up to date firmware revision (8.5). The setup for the deployed environment included external NetScalers with the Gateway VIP using SNI. SNI allows you to bind more than a single SSL certificate to a VIP. This can be useful in situations such as GSLB configurations where the GSLB Gateway certificate could be remote.company.com but the Optimal gateway routing could be *.gslb.company.com as an example.
Everything was working perfectly until we tried migrating branch offices with a simple ADSL or similar internet connection so all users needed to connect via the Gateway VIP. However when users tried to connect with the Dell Wyse thin clients they would type in their credentials and be immediately given an error message indicating a SSL no Cipher match and log files on the thin client would specify ERR_SSL_NO_CIPHER_MATCH.
We checked the usual things for thin clients ensuring that all the certificates were imported into the clients and the chaining was correct but that didn’t help.
The NetScalers we built were hardened to get the A+ rating on the SSLlabs test so I removed the hardened cipher group and re-added the default Cipher group but still got the SSL No Cipher Match error.
So I broke out wireshark and soon came across the issue.
When you enable SNI support the NetScaler has two (or more) possible certificates to secure your connection to the Gateway. In order for the NetScaler to know which certificate to use the CLIENT HELLO packet is used from the client to the NetScaler. Inside the initial packet there are a number of extended attributes one of which is server_name. When the client hello sends the server_name within the packet the NetScaler then returns a Server Hello with the list of Ciphers and the correct SSL certificate and everything continues as normal.
However the Dell Wyse thin clients being used were not including this attribute so the NetScaler didn’t return the Server Hello and the connection fails generating the SSL Cipher Mismatch error on the clients. This can be proved by temporarily disabling SNI and binding only a single SSL certificate to the VIP. With the same Ciphers and everything else the connections will now work.
At present there is no fix for the issue on the thin clients but I believe that Dell are working on a resolution but for the mean time if you need the clients to connect to a NetScaler Gateway you will likely need to create a new Gateway VIP with a single certificate bound and SNI enabled until the fix is generally available.
Author: Dale Scriven
Subscribe to vhorizon
DisclaimerThis blog and any other post made by me on the internet is representative of my views only, they are not the views of my past/current/future employers.