Greetings, having an issue on Debian 9 vmware-view client using CAC card to .mil domain. The error message after SSL login is:

"Error: An SSL error occured"

Some more details:

DoD root certificates all installed in /etc/ssl/config

For CAC smartcard middleware, using opensc (working great in Firefox and Chromium)

For Vmware version, I used 5.0.0 (Download VMware Horizon Clients ) using wget and then running the bundle:

https://download3.vmware.com/software/view/viewclients/CART20FQ1/VMware-Horizon-Client-5.0.0-1255742...​

This had a bunch of segfaults, so I installed and symlinked these library dependencies (got some help from the manual https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/4.10/horizon-client-linux-installation.pd... 😞

sudo apt-get update

sudo apt-get install -y v4l-utils libv4l-0 gstreamer1.0 open-vm-tools-desktop python-gtk2 libglibmm-2.4-1v5 libglibmm-2.4-dev libffi-dev libffi6 libengine-pkcs11-openssl1.1

sudo ln -s /usr/lib/x86_64-linux-gnu/libffi.so.6 /usr/lib/x86_64-linux-gnu/libffi.so.5

sudo ln -s /lib/x86_64-linux-gnu/libudev.so.1 /lib/x86_64-linux-gnu/libudev.so.0

#install libpng12, because of old dependencies

wget http://http.us.debian.org/debian/pool/main/libp/libpng/libpng12-0_1.2.50-2+deb8u3_amd64.deb

chmod +x libpng12-0_1.2.50-2+deb8u3_amd64.deb

sudo dpkg -i libpng12-0_1.2.50-2+deb8u3_amd64.deb

Vmware then loaded and the CAC card successfully unlocks with pin. Then the SSL error popped up.

Wireshark indicated SSL Certificate failure with TLSv1.2 packet "Alert (Level: Fatal, Description: Unknown CA)"

The server announcement and Wireshark on a working Windows 10 vmware client session indicated that the protocol in use was TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

This protocol is in TLSv1.2 of openssl 1.1.1, but not in Debian 9 xenial which uses openssl 1.1.0

Thus, I added Debian 10 buster apt stream and installed openssl 1.1.1, which now shows the needed cipher available (openssl calls it ECDHE-RSA-AES256-SHA384 instead of TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, see https://www.openssl.org/docs/manmaster/man1/ciphers.html ).

Additionally, I had made these modifications to attempt to prevent a TLSv1.2 fallback:

#Vmware config files modified with "sudo nano ~/.vmware/view-preferences"

view.autoHideToolbar = "FALSE"

view.deviceID = "00:16:3E:5E:6C:00"

view.enableDataSharing = "FALSE"

view.enableH264 = "TRUE"

view.enableH264YUV444 = "FALSE"

view.sslProtocolString = "TLSv1.2"

view.sslVerificationMode = "2"

view.usbAutoConnectAtStartUp = "FALSE"

view.usbAutoConnectOnInsert = "FALSE"

Log provided with some personal info redactions, the log has two apparently relevant lines:

"Built using OpenSSL 1.0.2q-fips"

As well as:

2019-07-16 18:32:02.872-04:00: vmware-view 30041| Found a valid EKU: TLS Web Server Authentication

2019-07-16 18:32:02.872-04:00: vmware-view 30041| certsList has 1 certificates

2019-07-16 18:32:02.873-04:00: vmware-view 30041| cdk_cryptoki_rsa_sign: need to sign 32 bytes of data and hash type is: 672

2019-07-16 18:32:03.047-04:00: vmware-view 30041| C_Sign failed: 0x101 [ ]

2019-07-16 18:32:03.048-04:00: vmware-view 30041| CdkRpc_ProcessResponseForCall: Returning the whole response for not finding response element of set-locale

2019-07-16 18:32:03.048-04:00: vmware-view 30041| CdkRpc_HandleResponsesAsync: Handle Response with rpc call id: 3.

2019-07-16 18:32:03.048-04:00: vmware-view 30041| Got a response to request 3

Some ideas:

Is there a way to force the openssl version to use the newer 1.1.1, or is this issue possibly due to it being baked in so that my particular server's cipher ECDHE-RSA-AES256-SHA384 cannot be used at this time?

Other avenues:

Is vmware definitely using the root certificate store in /etc/ssl/certs/ca-certificates.crt? I do get a green lock in vmware-view and no other certificate errors, and the DoD certs work in Firefox and Chromium allowing logins using the OpenSC CAC middleware.