Starting with View Agent 6.2, you can configure the cipher suites that HTML Access Agent uses by editing the Windows registry. Starting with View Agent 6.2.1, you can also configure the security protocols used. You can also specify the configurations in a group policy object (GPO).

About this task

With View Agent 6.2.1 and later releases, by default, the HTML Access Agent uses only TLS 1.1 and TLS 1.2. The protocols that are allowed are, from low to high, TLS 1.0, TLS 1.1, and TLS 1.2. Older protocols such as SSLv3 and earlier are never allowed. Two registry values, SslProtocolLow and SslProtocolHigh, determine the range of protocols that HTML Access Agent will accept. For example, setting SslProtocolLow=tls_1.0 and SslProtocolHigh=tls_1.2 will cause the HTML Access Agent to accept TLS 1.0, TLS 1.1, and TLS 1.2. The default settings are SslProtocolLow=tls_1.1 and SslProtocolHigh=tls_1.2.

You must specify the list of ciphers using the format that is defined in https://www.openssl.org/docs/manmaster/man1/ciphers.html, under the section CIPHER LIST FORMAT. The following cipher list is the default:

ECDHE-RSA-AES256-SHA:AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL

Procedure

  1. Start the Windows Registry Editor.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.
  3. Add two new string (REG_SZ) values, SslProtocolLow and SslProtocolHigh, to specify the range of protocols.

    The data for the registry values must be tls_1.0, tls_1.1, or tls_1.2. To enable only one protocol, specify the same protocol for both registry values. If any of the two registry values does not exist or if its data is not set to one of the three protocols, the default protocols will be used.

  4. Add a new string (REG_SZ) value, SslCiphers, to specify a list of cipher suites.

    Type or paste the list of cipher suites in the data field of the registry value. For example,

    ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL
  5. Restart the Windows service VMware Blast.

Results

To revert to using the default cipher list, delete the SslCiphers registry value and restart the Windows service VMware Blast. Do not simply delete the data part of the value because the HTML Access Agent will then treat all ciphers as unacceptable, in accordance with the OpenSSL cipher list format definition.

When the HTML Access Agent starts, it writes the protocol and cipher information to its log file. You can examine the log file to determine the values that are in force.

The default protocols and cipher suites might change in the future in accordance with VMware's evolving best practices for network security.