Crypto-agility configuration for CDS Client is described below.
Currently the DaaS Agent uses default ciphers and SSL protocols supported by the gSoap library. Below are the registry keys to customize the ciphers and SSL protocols.
- Tenant should be supporting the SSL Protocols/Settings specified on the client side; otherwise the Client will not be able to communicate with the Tenant.
- The Agent is a 32-bit application. The registry path is changed when the agent is installed on a 64-bit machine as described in https://msdn.microsoft.com/en-us/library/windows/desktop/ms724072(v=vs.85).aspx
ClientSecureProtocols
- Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware DaaS Agent\ClientSecureProtocols
- Type: String
- Format of Value: Combination of following values separated by |
- SOAP_TLSv1
Adding this value in the registry will make the agent use one of the following protocols to communicate to the tenant: TLSv1.0, TLSv1.1, or TLSv1.2.
- SOAP_SSLv3_TLSv1
Adding this value in the registry will make the agent use either the SSLV3 or TLSv1 (v1.0, v1.1 or v1.2) protocol to communicate to the tenant.
- SOAP_SSLv3
Adding this value in the registry will make the agent use only the SSLV3 protocol to communicate to the tenant.
- SOAP_TLSv1_0
Adding this value in the registry will make the agent use only the TLS v1.0 protocol to communicate to the tenant.
- SOAP_TLSv1_1
Adding this value in the registry will make the agent use only the TLS v1.1 protocol to communicate to the tenant.
- SOAP_TLSv1_2
Adding this value in the registry will make the agent to use only the TLS v1.2 protocol to communicate to the tenant.
- SOAP_TLSv1
- Default Value: SOAP_TLSv1_1|SOAP_TLSv1_2
Indicates that Agent will use either TLSV1.1 or TLSV1.2 protocol to communicate to the Tenant.
ClientCipherSuites
- Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware DaaS Agent\ClientCipherSuites
- Type: String
- Format of Value: Check https://www.openssl.org/docs/manmaster/ssl/ciphers.html or http://openssl.cs.utah.edu/docs/apps/ciphers.html
- Default Value: !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
ClientAuthenticationSettings
- Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware DaaS Agent\ClientAuthenticationSettings
- Type: String
- Format of Value: Combination of following values separated by |
- SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION
Adding this key into the value requires servers to authenticate to the client.
Note: Only this configuration has been tested. - SOAP_SSL_SKIP_HOST_CHECK
Adding this key into the value disables checking of the common name of the host in the certificate.
- SOAP_SSL_ALLOW_EXPIRED_CERTIFICATE
Adding this key into the value disables checking of the expiration date of the certificate and omits CRL (Certificate Revocation Lists) checks.
- SOAP_SSL_NO_DEFAULT_CA_PATH
Adding this key into the value disables default_verify_paths (OpenSSL).
- SOAP_SSL_RSA
Adding this key into the value makes the agent use RSA to authenticate with the tenant.
- SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION
- Default Value: SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION
CipherSuites
- Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration\SSL\CipherSuites
- Type: String
- Format of Value: Specify multiple ciphers with colon delimiter.
ProtocolsNotToBeDisabled
- Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration\SSL\ ProtocolsNotToBeDisabled
- Type: DWORD (32-bit)
- Format of Value:
- To enable TLSv1 and above, specify 04000000 as the hex value.
- To enable TLSv1_1 and above, specify 10000000 as the hex value.
- To enable TLSv1_2 and above, specify 08000000 as the hex value (this is the current default).