About this task
With View Agent 6.2.1 and later releases, by default, the HTML Access Agent uses only TLS 1.1 and TLS 1.2. The protocols that are allowed are, from low to high, TLS 1.0, TLS 1.1, and TLS 1.2. Older protocols such as SSLv3 and earlier are never allowed. Two registry values,
SslProtocolHigh, determine the range of protocols that HTML Access Agent will accept. For example, setting
SslProtocolHigh=tls_1.2 will cause the HTML Access Agent to accept TLS 1.0, TLS 1.1, and TLS 1.2. The default settings are
You must specify the list of ciphers using the format that is defined in https://www.openssl.org/docs/manmaster/man1/ciphers.html, under the section CIPHER LIST FORMAT. The following cipher list is the default:
- Start the Windows Registry Editor.
- Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.
- Add two new string (REG_SZ) values,
SslProtocolHigh, to specify the range of protocols.
The data for the registry values must be
tls_1.2. To enable only one protocol, specify the same protocol for both registry values. If any of the two registry values does not exist or if its data is not set to one of the three protocols, the default protocols will be used.
- Add a new string (REG_SZ) value,
SslCiphers, to specify a list of cipher suites.
Type or paste the list of cipher suites in the data field of the registry value. For example,
- Restart the Windows service VMware Blast.
To revert to using the default cipher list, delete the SslCiphers registry value and restart the Windows service VMware Blast. Do not simply delete the data part of the value because the HTML Access Agent will then treat all ciphers as unacceptable, in accordance with the OpenSSL cipher list format definition.
When the HTML Access Agent starts, it writes the protocol and cipher information to its log file. You can examine the log file to determine the values that are in force.
The default protocols and cipher suites might change in the future in accordance with VMware's evolving best practices for network security.