Deactivated Protocols and Ciphers

DHE Cipher Suites

Cipher suites that are compatible with DSA certificates use Diffie-Hellman ephemeral keys, and these suites are no longer activated by default, starting with Horizon 6 version 6.2. For more information, see http://kb.vmware.com/kb/2121183.

For Connection Server instances and VMware Horizon 8 desktops, you can activate these cipher suites by editing the Horizon LDAP database, locked.properties file, or registry, as described in this guide. See Change the Global Acceptance and Proposal Policies, Configure Acceptance Policies on Individual Servers, and Configure Proposal Policies on Remote Desktops in a VMware Horizon 8 Environment. You can define a list of cipher suites that includes one or more of the following suites, in this order:

• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA

For Horizon Agent Direct-Connection Plug-In machines, you can activate DHE cipher suites by adding the following to the list of ciphers when you follow the procedure "Deactivate Weak Ciphers in SSL/TLS for Horizon Agent Machines" in the Horizon 8 Installation and Upgrade document.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

SHA-1

In FIPS mode, certificate verification will fail with "Certificates do not conform to algorithm constraints" if a certificate is signed using SHA-1. This applies to any certificate in the chain, including the root certificate. For more information about why this signature algorithm is deprecated, see https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf.

Replace failing certificates if possible. If this cannot be done, SHA-1 signatures can be re-activated by making an LDAP edit. Navigate to CN=Common,OU=Global,OU=Properties,DC=vdi,DC=vmware,DC=int. Modify attribute pae-SSLClientSignatureSchemes by adding rsa_pkcs1_sha1 to the list of comma-separated values. Save the modified attribute and then restart the Connection Server service on each Connection Server in the cluster, one at a time.

No Forward Secrecy (PFS)

For more information, see https://datatracker.ietf.org/doc/html/rfc7525. Cipher suites specifying key exchange algorithms that do not exhibit forward secrecy (PFS) are deactivated by default. For instructions on how to activate these cipher suites, see the other sections of this topic.

Re-activating Protocols

Although the protocols listed above have been deprecated for good reasons, you might have a use case where you need to re-activate one or more of them. If so, you can activate protocols by following the procedure below.

For Connection Server instances and VMware Horizon 8 desktops, you can activate a protocol by editing the configuration file C:\Program Files\VMware\VMware View\Server\jre\conf\security\java.security. At the end of the file is a multi-line entry called jdk.tls.legacyAlgorithms. Remove the protocol and the comma that follows it from this entry and restart the Connection Server or the Horizon Agent machine.

Also see the section "Enable TLSv1 on vCenter Connections from Connection Server" in the Horizon 8 Installation and Upgrade document.

For Horizon Agent Direct-Connection (formerly VADC) machines, you can activate a protocol by adding a line to the list of ciphers when you follow the procedure "Deactivate Weak Ciphers in SSL/TLS Horizon Agent Machines" in the Horizon 8 Installation and Upgrade document. For example, to activate RC4, you can add the following.

TLS_RSA_WITH_RC4_128_SHA