You can configure the cipher suites and security protocols that the HTML Access Agent uses. You can also specify the configurations in a group policy object (GPO).

By default, the HTML Access Agent uses only TLS 1.0, TLS 1.1, and TLS 1.2. Older protocols such as SSLv3 and earlier are never allowed. Two registry values, SslProtocolLow and SslProtocolHigh, determine the range of protocols that the HTML Access Agent accepts. For example, setting SslProtocolLow=tls_1.1 and SslProtocolHigh=tls_1.2 causes the HTML Access Agent to accept TLS 1.1 and TLS 1.2. The default settings are SslProtocolLow=tls_1.2 and SslProtocolHigh=tls_1.2, and therefore by default the HTML Access Agent accepts only TLS 1.2.

You must use the proper cipher list format when specifying the list of ciphers. To see the cipher list format, you can search for openssl cipher string in a web browser. The following cipher list is the default:

ECDHE+AESGCM

Procedure

  1. Start the Windows Registry Editor.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.
  3. To specify the range of protocols, add two new string (REG_SZ) values, SslProtocolLow and SslProtocolHigh.
    The data for the registry values must be tls_1.1 or tls_1.2. To enable only one protocol, specify the same protocol for both registry values. If a registry values does not exist, or if its data is not set to one of the three protocols, the default protocols is used.
  4. To specify a list of cipher suites, add a new string (REG_SZ) value, SslCiphers.
    Type or paste the list of cipher suites in the data field of the registry value. For example,
    ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL
  5. Restart the VMware Blast Windows service.

Results

To revert to using the default cipher list, delete the SslCiphers registry value and restart the Windows service VMware Blast. Do not delete the data part of the value. If you delete the data part of the value, the HTML Access Agent treats all ciphers as unacceptable in accordance with the OpenSSL cipher list format definition.

When the HTML Access Agent starts, it writes the protocol and cipher information to its log file. You can examine the log file to determine the values that are in force.

Note: The default protocols and cipher suites might change in accordance with evolving best practices for network security.