Citrix connectivity

I get the same problem trying to connect to our medical management server through a secure citrix connection. The same error message comes up. When I click "details..." the following log is present. I can connect through Firefox, but would prefer to solve this security issue and use Safari.

Thanks for any help.

Log:

com.citrix.sdk.jsse.CitrixSSLException: The security certificate "VeriSign Class 3 Secure Server CA" is not suitable for use in SSL connections. Reason: Unsuitable Netscape Usage Extension field.
at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
at com.citrix.client.io.net.ip.z.a(Unknown Source)
at com.citrix.client.io.net.ip.z.a(Unknown Source)
at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
at java.lang.Thread.run(Thread.java:613)
Caused by: javax.net.ssl.SSLHandshakeException: com.citrix.sdk.jsse.i
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.j ava:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImp l.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:10 57)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:10 41)
... 11 more
Caused by: com.citrix.sdk.jsse.i
at com.citrix.sdk.jsse.b.f(Unknown Source)
at com.citrix.sdk.jsse.b.a(Unknown Source)
at com.citrix.sdk.jsse.b.c(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.c.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContext Impl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:841)
... 18 more

It appears that this particular "intermediate" certificate from VeriSign is not included by Apple in the root certificates. A bill pay website from Embarq (formerly Sprint) uses an SSL certificate that is signed by "VeriSign Class 3 Secure Server CA", just like the certificate you have. On my systems, both Safari and Firefox complain that the certificate authority is unknown (though they will let you proceed).

To stop this, you can:
1. Go to this page ( http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediat e/index.html) and save the contents of the text box into a PLAIN TEXT file using TextEdit. Give the file a .cer extension instead of .txt. (If it has .rtf you didn't make a plain text file.)
2. Open Keychain Access and do File/Import Items
3. Select the .cer file you created. You should see a new "VeriSign Class 3 Secure Server CA" certificate in the items list, and you should no longer get the certificate warning.

I'm not sure that'll fix Citrix, but you never know.

Message was edited by: giskard22

I'm having this problem as well - I tried the above, no change. I also tried downloading and installing the most recent Citrix Mac OS X client, also no change.

Any ideas would be appreciated. Thanks.

Hey, what helped me was downloading the most recent icaclientpackage.
As it is a secured server I've to log in, with client editor I changed the settings to HTTPS mode, also change that with default settings tab.
Further no urls's or anything defined, that's it. Also ensure that both client editor and ICA are started when you start your comp.
When logging in to your server out there check what the preferences are for the ica client. Mine stood at Client for Java something, but the other option was ' local client'. I changed to the latter, and from there on the thing went very smooth. My applications are running now. Only one small problem, now and then a windows screen opens, telling me that my registry is not sufficient to run the applications. I then have to reboot and it's fine again. In case anyone knows how to solve this little hick up, appreciated.
Hopes this helps some of you. Good luck.

I'm having the same error 51, failed to connect to server error. Using 10.5.2 on a MBP 2.33 Core 2. It works fine from my Parallels VM, so I'm assuming it's related to the Citrix client for Leopard.

Any help would be appreciated!

Beau

One other option might be to use firefox as browser, with my earlier mail that might do the trick, so merely a battle between citrix and safari then with leopard.

Ive tryed all the above and haveing the Same issue, we have tryed firefox and Safari and both dont work, weve only had this issue since the new update of Safari is anyone can help it would be great

Any progress on this thread? I'm still having this issue described here and have yet to find a solution.

I may have a solution that just worked for me - as I was having the same Error 51 message when trying to connect to work through citrix. Try this:

Go to Finder & click on the name of your computer under "places" - from there go to "Library" - from there go to "Preferences" - from there look for a file called "Citrix ICA Client" & Delete it. Then go back & try to restart your citrix connection & it should work. (Make sure you quit your citrix connection before you try to restart it).

This worked for me & I got back in w/no issue & tested several times thereafter.

Good Luck-
Paul

Firefox works for me. It makes the connection flawlessly, but I get error messages when I try to run programs in the Citrix environment. Firefox pops up a button that asks if I want to retry. I say yes and in a second The firefox menu has an unlerlined "open" after the Citrix program I'm trying to download. I click it and voila!

I know this is a kludge, but I have used it successfully for months.

I am running OSX 10.5.3 on a dual Intel iMac. I downloaded the Citrix ICA Client for Mac.

Mark

I have tried both safari and firefox and ultimately end up at the same place. Below is the detail behind "Unsuitable Netscape extension"
I tried a variety of approaches and have come up empty.

com.citrix.sdk.jsse.CitrixSSLException: The security certificate "OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network" is not suitable for use in SSL connections. Reason: Unsuitable Netscape Usage Extension field.
at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
at com.citrix.client.io.net.ip.z.a(Unknown Source)
at com.citrix.client.io.net.ip.z.a(Unknown Source)
at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
at java.lang.Thread.run(Thread.java:613)
Caused by: javax.net.ssl.SSLHandshakeException: com.citrix.sdk.jsse.i
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.j ava:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImp l.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:10 57)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:10 41)
... 11 more
Caused by: com.citrix.sdk.jsse.i
at com.citrix.sdk.jsse.b.f(Unknown Source)
at com.citrix.sdk.jsse.b.a(Unknown Source)
at com.citrix.sdk.jsse.b.c(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.a.a(Unknown Source)
at com.citrix.sdk.jsse.c.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContext Impl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:841)
... 18 more

You seem to be from Georgia. If you are using the CDC system, the method below works flawlessly in the new Safari and acceptably in Firefox.

1. Go to the Citrix website and sign up for a free membership at http://www.citrix.com/English/ss/downloads/index.asp?ntref=hpnavUS Then sign in and you can download the latest Mac version (10.00.601) of the Citrix ICA for Mac (released 6/2008)from https://www.citrix.com/English/ss/downloads/details.asp?downloadId=3247&productI d=186.

2. Unstuff and install the program, which should be in Applications/Citrix. There is a client and editor.

3. Be sure to quit you web browser and then restart it.

4. Log in to your Citrix server.

Notes:

In Safari, this works seamlessly. you may see a window popping up when the client downloads the little Launch ICA file. Ignore any messages that your server has disconnected.

In Firefox, it works acceptably. Firefox downloads the Launch ICA file, but can't open it the first time. When the downloads window pops up, just click on the Launch ICA file to reopen it and it works fine.

Don't waste time on the Citrix Java version, which apparently only works with ancient versions of Java. You can't dumb your system down enough to make this work.

The new client works seamlessly to print on my local printer through either browser.

I'm working on an Intel IMac. This may not work on a PowerPC system -- but Citrix has a client for it.

Thank you for the assistance. What is the CDC system? I ask because I followed the below instructions and still failed.

I find this post interesting because when I downloaded the Citrix client (also using it for medical management/records software), I kind of have the exact opposite problem. I will not let me login with safari, with the program embedded into the web browser. It tells me I don't have the SSL certificates blah blah. However, when I use firefox it will download and automatically load the launch-ica file and I'm in just fine. Any suggestions to correct the Safari issue?? Thanks.

Josh