To achieve greater security, you can ensure that communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak cyphers.

About this task

The configuration for disabling weak ciphers is stored in the Windows registry. Changes to these settings must be done on all machines that run View Agent Direct-Connection Plug-In.

Note:

These settings affect all use of SSL/TLS on the operating system.

Both SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT 56-bit Export Cipher Suites For TLS draft-ietf-tls-56-bit-ciphersuites-00.txt provide options to use different cipher suits. Each cipher suite determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS session.

Prerequisites

You need to have experience editing Windows registry keys using the Regedt32.exe registry editor.

Procedure

  1. Start Registry Editor Regedt32.exe, and locate this registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  2. Make modifications to the registry.

    Windows Version

    Registry Changes

    XP SP3

    • In subkey \Ciphers\DES 56/56 add a DWORD value Enabled with a value of 0x0.

    • In subkey\Hashes\MD5 add a DWORD value Enabled with a value of 0x0.

    Vista and Later

    • In subkey \Hashes create a subkey MD5.

    • In subkey \Hashes\MD5 add a DWORD value Enabled with a value of 0x0.

Results

  • For Windows XP SP3, the registry changes ensure that only the following ciphers are available:

    • SSLv3 168 bits DES-CBC3-SHA

    • SSLv3 128 bits RC4-SHA

    • TLSv1 168 bits DES-CBC3-SHA

    • TLSv1 128 bits RC4-SHA

  • For Windows Vista and later, the registry changes ensure that only the following ciphers are available:

    • SSLv3 168 bits DES-CBC3-SHA

    • SSLv3 128 bits RC4-SHA

    • TLSv1 256 bits AES256-SHA

    • TLSv1 128 bits AES128-SHA

    • TLSv1 168 bits DES-CBC3-SHA

    • TLSv1 128 bits RC4-SHA

Note:

When connecting to a Windows XP virtual desktop from Horizon Client, you may need to configure the cipher list that is supported by the client to include a cipher from the supported list on Windows XP. For example you may need to configure the client to additionally support TLSv1 128 bits RC4-SHA. By default, Horizon Client no longer supports this cipher.

If the client is not configured to support any cipher that is supported by the virtual desktop operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.

For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.