You can configure the security protocols and cipher suites that PSG's client-side listener accepts by editing the registry. If required, this task can also be performed on a RDS host.

The protocols that are allowed are, from low to high, tls1.0, tls1.1, and tls1.2. Older protocols such as SSLv3 and earlier are never allowed. The default setting is tls1.2:tls1.1.
Note: In FIPS mode, only TLS 1.2 is enabled (tls1.2).

The following cipher list is the default:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:@STRENGTH"
Note: In FIPS mode, only GCM cipher suites are enabled ( ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256).

Procedure

  1. On the connection broker instance or RDS host, open a registry editor and navigate to HKLM\Software\Teradici\SecurityGateway.
  2. Add or edit the REG_SZ registry value SSLProtocol to specify a list of protocols.
    For example,
    tls1.2:tls1.1
  3. Add or edit the REG_SZ registry value SSLCipherList to specify a list of cipher suites.
    For example,
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256
  4. Add or edit the REG_SZ registry value SSLDisableAES128 to filter cipher suites that negotiate a 128-bit AES encryption key. If not defined, the value defaults to 0, meaning that the filter will not be applied. To exclude these cipher suites, turn on the filter by setting the registry value to 1.
  5. Add or edit the REG_SZ registry value SSLDisableRSACipher to filter cipher suites that use RSA for key exchange. If not defined, the value defaults to 1, meaning that these cipher suites will be filtered from the list. If it is necessary to include them, turn off the filter by setting the registry value to 0.