Global acceptance and proposal policies enable certain security protocols and cipher suites by default.

The following tables list the protocols and cipher suites that are enabled by default for Horizon Client 3.x on Windows, Linux, Mac OS X, iOS, Android, and Chrome client systems. In Horizon Client 3.1 (and later) for Windows, Linux, and Mac OS X, these cipher suites and protocols are also used to encrypt the USB channel (communication between the USB service daemon and View Agent). The USB service daemon adds RC4 ( :RC4-SHA: +RC4 ) to the end of the cipher control string when it connects to a remote desktop.

Horizon Client 3.5

Table 1. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.5

Default Security Protocols

Default Cipher Suites

TLS 1.2

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Important:

Although TLS 1.0 is enabled by default, VMware recommends disabling TLS 1.0 where possible. In future releases TLS 1.0 will be disabled by default.

Horizon Client 3.3 and 3.4

Table 2. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.3 and 3.4

Default Security Protocols

Default Cipher Suites

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Note:

TLS 1.2 is also supported, though not enabled by default. To enable TLS 1.2, follow the instructions in VMware KB 2121183, after which the cipher suites listed in 1 are supported.

Horizon Client 3.0, 3.1, and 3.2

Table 3. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.0, 3.1, and 3.2

Default Security Protocols

Default Cipher Suites

  • TLS 1.1

  • TLS 1.0

  • SSL 3.0 (enabled on Windows clients only)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)

  • TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)

  • TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Note:

TLS 1.2 is also supported, though not enabled by default. To enable TLS 1.2, follow the instructions in VMware KB 2121183, after which the cipher suites listed in 1 are supported.