Changes to cipher suites required by Citrix Cloud

Summary

As part of Citrix Cloud’s ongoing efforts to enhance security and ensure compliance, including the adoption of TLS 1.3, support for the following outdated Diffie-Hellman cipher suites will be removed.

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Deprecation Timeline

This change is targeted to be rolled out by *

{INSERT DATE}.*
h2. Who Is Affected?
* Customers connecting to the Citrix Cloud control plane from Windows Server 2012 R2
* User agents and applications connecting to Citrix Cloud with the deprecated DHE cipher suites



h2. Why Is This Necessary?

These DHE cipher suites are less performant, and modern standards are converging on TLS 1.3 and ECDHE key exchange. Continuing support for these TLS 1.2 ciphers limits the ability to roll out stronger security configurations system-wide, such as TLS 1.3.


h2. Recommended Action
# Review Current Cipher Suite Usage

Ensure that your systems and applications are configured to negotiate TLS 1.3 or at least one of the supported go-forward TLS 1.2 cipher suites.

Cipher suites supported on *{INSERT DATE}

*

• TLS_AES_128_GCM_SHA256 (TLS 1.3)
• TLS_AES_256_GCM_SHA384 (TLS 1.3)
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

1. Windows Operating System Support

 

Upgrade all Citrix Cloud administrator endpoints and Cloud Connectors to Windows Server 2016 or later. These versions natively support the ECDHE-AES-GCM cipher suites and are fully compatible with modern TLS 1.2 and 1.3 standards.

Recommended Strong Ciphers for TLS 1.2 Connections from Windows Server 2016, 2019, or 2022:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

You may refer to the Citrix Cloud Secure Deployment guide for further recommendations.