Global acceptance and proposal policies enable certain security protocols and cipher suites by default.

The following tables list the protocols and cipher suites that are enabled by default for Horizon Client 4.2, 4.1, 4.0.1, 4.0, and 3.x on Windows, Linux, Mac, iOS, Android, and Chrome client systems. In Horizon Client 3.1 (and later) for Windows, Linux, and Mac, these cipher suites and protocols are also used to encrypt the USB channel (communication between the USB service daemon and View Agent or Horizon Agent). For Horizon Client versions earlier than 4.0, the USB service daemon adds RC4 ( :RC4-SHA: +RC4 ) to the end of the cipher control string when it connects to a remote desktop. RC4 is no longer added starting with Horizon Client 4.0.

Horizon Client 4.2

Table 1. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 4.2

Default Security Protocols

Default Cipher Suites

TLS 1.2

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

TLS 1.0 is enabled by default to ensure that, by default, Horizon Client can connect to VMware Horizon Air servers. The default cipher string is !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES. You can disable TLS 1.0 if TLS 1.0 compatibility with the server is not required.

Horizon Client 4.0.1 and 4.1

Table 2. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 4.0.1 and 4.1

Default Security Protocols

Default Cipher Suites

TLS 1.2

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

TLS 1.0 is enabled by default to ensure that, by default, Horizon Client can connect to VMware Horizon Air servers. The default cipher string is TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH. You can disable TLS 1.0 if TLS 1.0 compatibility with the server is not required.

Horizon Client 4.0

Table 3. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 4.0

Default Security Protocols

Default Cipher Suites

TLS 1.2

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

  • TLS 1.1

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Important:

TLS 1.0 is disabled by default. SSL 3.0 has been removed.

Horizon Client 3.5

Table 4. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.5

Default Security Protocols

Default Cipher Suites

TLS 1.2

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Horizon Client 3.3 and 3.4

Table 5. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.3 and 3.4

Default Security Protocols

Default Cipher Suites

  • TLS 1.1

  • TLS 1.0

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Note:

TLS 1.2 is also supported, though not enabled by default. To enable TLS 1.2, follow the instructions in VMware KB 2121183, after which the cipher suites listed in 4 are supported.

Horizon Client 3.0, 3.1, and 3.2

Table 6. Security Protocols and Cipher Suites Enabled by Default on Horizon Client 3.0, 3.1, and 3.2

Default Security Protocols

Default Cipher Suites

  • TLS 1.1

  • TLS 1.0

  • SSL 3.0 (enabled on Windows clients only)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)

  • TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)

  • TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Note:

TLS 1.2 is also supported, though not enabled by default. To enable TLS 1.2, follow the instructions in VMware KB 2121183, after which the cipher suites listed in 4 are supported.