Citrix java ssl problem

Asked by Linatux

I am running Ubuntu (hardy) 32bit on AMD64 CPU.

Until recently I've been able to use Firefox to connect (https) to a site that starts a windows desktop (nfuse/citrix).
I can still connect to the site, but cannot start the desktop. I get the following message from java (sun java 6).

A local security certificate could not be loaded. (error code: 7)
    at com.citrix.sdk.security.ssl.ConnectionModel.addCACertificate(ConnectionModel.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.citrix.client.io.net.ip.m.h(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.i.(Unknown Source)
    at com.citrix.client.io.net.ip.g.a(Unknown Source)
    at com.citrix.client.io.net.ip.o.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.t(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:619)
Caused by: The SSL cryptography library failed. The security certificate "America Online Root Certification Authority 2" has a public key of length greater than 2048 bit.
    at com.citrix.sdk.security.certificate.X509CertificateLoader.loadCertificates(X509CertificateLoader.java)
    at com.citrix.sdk.security.ssl.ConnectionModel.addCACertificate(ConnectionModel.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.citrix.client.io.net.ip.m.h(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.i.(Unknown Source)
    at com.citrix.client.io.net.ip.g.a(Unknown Source)
    at com.citrix.client.io.net.ip.o.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.t(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.IllegalStateException: C=US, O=America Online Inc., CN=America Online Root Certification Authority 2
    at com.certicom.b.a.a.a.v.d(v.java)
    at com.certicom.b.a.a.a.v.b(v.java)
    at com.certicom.b.a.a.a.v.(v.java)
    at com.certicom.b.a.a.a.t.a(t.java)
    at com.certicom.b.a.a.a.t.a(t.java)
    at com.citrix.sdk.security.certificate.X509CertificateLoader.loadCertificates(X509CertificateLoader.java)
    at com.citrix.sdk.security.ssl.ConnectionModel.addCACertificate(ConnectionModel.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.citrix.client.io.net.ip.m.h(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.i.(Unknown Source)
    at com.citrix.client.io.net.ip.g.a(Unknown Source)
    at com.citrix.client.io.net.ip.o.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.t(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:619)

Updating to the current citrix client didn't help (& altered the permissions on the install directory (/tmp in my case - caused a number of other problems!!!%^&*@!)

I've spent a number of hours searching for similar problems without much success.

It seems that America Online have a 4096 bit SSL key & Java isn't dealing with it.
I've no idea if/how I can ignore that key.

Any suggestions?

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Linatux (sean-voyce) said :
#1

Problem is with Citrix client ...
http://support.citrix.com/article/ctx107157

Not sure how to fix it yet. May be able to remove local keys larger than 2048 or may need to install valid keys of 2048.
No idea how to do either yet.....

Revision history for this message
Linatux (sean-voyce) said :
#2

Still could be fixable by using an older java version - think I'll try removing java6 & try java5...

Revision history for this message
Linatux (sean-voyce) said :
#3

Java 5 didn't help - still screwed.

Found a Java thingy for unrestricted SSL keys - didn't help
Removed the America Online 2 key from Firefox - no good
Renamed the America Online 2 pem file - nope

Can't believe Windows does this better than Ubuntu! Getting frustrated.

Revision history for this message
Linatux (sean-voyce) said :
#4

still stuck - sigh!

Revision history for this message
Paul Hobart (pmatthews) said :
#5

I rolled back from "Java 6 Update 7" to "Java 6 update 5" and this went away.
I'm using firefox but I had 3 other users with same problem and fixed all by going back to update 5.
1 x XP with IE6 user, 1x Vista with IE user.

Revision history for this message
Linatux (sean-voyce) said :
#6

I'm having trouble downgrading java as I'm missing pre-req's & apt-get -f install just brings me back up to date again.
Any hints as to how to go about it in ubuntu? (Intrepid now)

Revision history for this message
Paul Hobart (pmatthews) said :
#7

Only clue I can give is to try this. Its a long shot though.
Try setting the association for .ica files to the wfica.exe in the citrix client directory.
The problem isnt actually a java one, its the install not being right for the client. This might help.

Revision history for this message
Linatux (sean-voyce) said :
#8

http://archive.ubuntu.com/ubuntu/pool/multiverse/s/sun-java6/ has older versions of Java.
Download relevant packages & dpkg -i *.deb
fails as libstdc++5 missing, so apt-get install libstdc++5 - java packages then install OK?

Will test this tonight...

Revision history for this message
Launchpad Janitor (janitor) said :
#9

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Linatux (sean-voyce) said :
#10

Still broken.

Revision history for this message
Launchpad Janitor (janitor) said :
#11

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Linatux (sean-voyce) said :
#12

Moved on to Jaunty - still can't get citrix working!
Tried several versions of java to no avail$%$%&*^@!!

Revision history for this message
Launchpad Janitor (janitor) said :
#13

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Linatux (sean-voyce) said :
#14

Someone helpful sent me a link - I don't have it handy, will update later...

Downloaded an older version of java, ran the install (can probably extract some other way) & copied the "cacerts" file over the current ones (made backup copies 1st). I had 4 lying about (much hacking on this problem) so replaced them all.

Fired up my connection & all working now. YAY!!!

The cacerts file was about 26k. I actually ran the install on another computer - just copied the file to this one.

Will try and post the link & name of the helpful bloke :-)

Revision history for this message
Launchpad Janitor (janitor) said :
#15

This question was expired because it remained in the 'Open' state without activity for the last 15 days.