Re: SSL error on connecting to server

netw1z · ‎06-24-2018

I have a Win10 PC and a Win10 laptop that I use VMware Horizon Client (v4.8) to connect work's VDI server over the past year. Today, on my PC the VMware client is reporting a SSL error when I click to connect to the VDI server (error happens before any auth prompts). However, my laptop doesn't have the issue and is able to connect through ok. Both PC and laptop are on the same home network.

I've had a look at the logs but I don't understand most of it so hoping someone can point out what could be wrong.

Things I have tried on my PC:

Change SSL confguration to "Do not verify server identity certificates"
Uninstalled VMware Horizon Client - reboot - reinstall with latest v4.8 installer from vmware.com - reboot

This is the extract from vmware-horizon-viewclient-2018-06-25-160039.txt attached (server name and IP replaced).

I tested connecting to any valid domain name not running vmware infrastructure and appears to get the same SSL error so it just appears the SSL error just a general error if there is no SSL handshake? I can confirm my work's VDI server is working though because as I mentioned I can connect to it from my Win10 laptop fine.

What else can I do?

pengwang · ‎06-24-2018

Hi netw1z,

It looks like TLS cipher suite mismatch between client and server. Please check if the client host customized Configures SSL protocols and cryptographic algorithms Security Settings for Client GPOs, you can use wireshark to investigate the ssl handshake traffic or enable view client trace log level to assist debug this, thanks.

netw1z · ‎06-25-2018

Hi pengwang,

I'm not sure what client GPO setting I should look at or change here but I've compared my PC's registry keys with my (working) laptop for this registry folder and they are the same:

\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware VDM\Client\Security\

LogInAsCurrentUser_Default DWORD 0

LogInAsCurrentUser_Display DWORD 1

Wireshark capture attached - filtered on destination VDI server IP

Client trace changed to view traces and I have attached new client log trace.

Thanks for your help in looking at this.

pengwang · ‎06-25-2018

The client use default ssl GPO setting, so this is not the problem. The wireshark logs show some tcp retransmission issues, look like server side might not receive the packege correctly so that no server hello response in the server side during ssl handshake and dropped the connection. please check if there are firewalls or other devices issues in your env. Using curl/openssl -v severname should be same behavior in this host, can you always repro the issue in this host? how about web access the server? BTW, Suggest to remove the trace logs/wireshark in here and file a ticket with attaching these info in future case, Thanks.

netw1z · ‎06-26-2018

I've disabled all firewall and antivirus but still get the same issue every time. Direct browser access to server bring up a F5 front page since F5 is used to load balance the backend servers. Curl output below.

I am not sure how I can log a ticket through here as an end user without service contracts attached to my account.

curl -v vdi.servernamereplaced.com

* Rebuilt URL to: vdi.servernamereplaced.com/

* Trying 203.aaa.bbb.ccc...

* TCP_NODELAY set

* Connected to vdi.servernamereplaced.com (203.aaa.bbb.ccc) port 80 (#0)

> GET / HTTP/1.1

> Host: vdi.servernamereplaced.com

> User-Agent: curl/7.55.1

> Accept: */*

>

* HTTP 1.0, assume close after body

< HTTP/1.0 302 Found

< Location: https://vdi.servernamereplaced.com/

< Server: BigIP

* HTTP/1.0 connection set to keep alive!

< Connection: Keep-Alive

< Content-Length: 0

<

* Connection #0 to host vdi.servernamereplaced.com left intact

pengwang · ‎06-26-2018

Please try to connect to port xxx:443, and does the client host face to internet or intranet? It might backend network related(Your corp IT admin might know about the network access rule and should not be horizon client issue) since I can see the login dialog from my side, Thanks.

netw1z · ‎06-27-2018

This desktop PC host having the issue is internet facing. Also, I mentioned before, my other laptop host which is also connected to the same personal home network but is not having any issue using Horizon client connecting to the same VDI server. Therefore I don't doubt this is not a VDI server side issue and must be isolated to my PC host which I cannot figure out what caused it to stop working (was working fine last week).

I've tried reinstalling VMware Horizon client many times. I've also tried installing the VMware Horizon client app from the Windows 10 store but the Horizon client app also gives the same SSL issue.

Below is the curl output to port 443 as requested. (I did the same on my work laptop and the output is the same as below)

curl -v vdi.servernamereplaced.com:443

* Rebuilt URL to: vdi.servernamereplaced.com:443/

* Trying 203.aaa.bbb.ccc...

* TCP_NODELAY set

* Connected to vdi.servernamereplaced.com (203.aaa.bbb.ccc) port 443 (#0)

> GET / HTTP/1.1

> Host: vdi.servernamereplaced.com:443

> User-Agent: curl/7.55.1

> Accept: */*

>

* Empty reply from server

* Connection #0 to host vdi.servernamereplaced.com left intact

curl: (52) Empty reply from server

techguy129 · ‎06-27-2018

Try adding the following registry on the client machine:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ VMware, Inc. \ VMware VDM \ Client \ Security]

"SSLCipherList" = "SSLv3: TLSv1: TLSv1.1: AES: RC4-SHA:! ANULL: @STRENGTH"

If that doesn't work, you can try deleting this registry key (after backing it up) to see if it helps:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

"Enabled"

netw1z · ‎06-27-2018

I figured out what the issue is in the end.

My PC host has a Killer brand network card. Last week I had to reinstall its driver due to a Windows issue. When that happened the Killer driver suite has a feature called "Advanced Stream Detect" which was on by default. This is the feature that if left on seems to break the Horizon client connection and when off, Horizon works fine - confirmed now.

I had a sudden realization tonight that the driver was changed recently and so I went turned off the ASD feature and Horizon was happy again.

I wrote to Killer a year ago when I purchased my PC which is when I first found the same problem that if the ASD feature was on it was doing some screwy things to some other apps. I stopped using their driver back then but forgot about it when I had the driver issue recently and it got me again!

Thanks for the help all and sorry for wasting your time.

snakedoctor69 · ‎05-15-2019

I have the same error. I was using the product for a month or so, and now I can't even get to our jump server. VMWare products are funny because I can access our jump server using the firefox browser and use the web client and everything works hunky dory. I am thinking it has something to do with how Windoz 10 stores certificates.. the edge browser is doesn't work either... I think firefox has it's own SSL certificate store. Maybe the authors of the product can explain how the SSL stuff works so we can figure this out.

BenFB · ‎05-17-2019

snakedoctor69

Certificates with Horizon are well documented and straightforward. It can get complex when you introduce Unified Access Gateways (UAG)/Security Servers and load balancer depending on where the SSL termination is taking place. Can you start a new discussion with the details of your environment and we can assist.

All

SSL error on connecting to server