Hi ,
In my recent deployment I have got a request from the customer for disabling few protocols and Cipher in both VMware View Connection Server and Security server. I read some articles and found that this was achieved by editing the locked.properties file . But when we edited and replaced the file the users were not able to connect to there virtual desktop, so we reverted back and the desktops worked fine.
In few blogs I found that we don't need to edit the locked.properties file in VMware Horizon View 6 . If some one has performed this operation please guide me through .Below are the details of the protocols and ciphers that need to be disabled
Diffie-Hellman Key
Disable SSL v2/V3 and enable TLS 1.1 & 1.2
Disable RC4 cipher
Enable Forward Secrecy (If possible)
VMware view 6 is the Connection server and Security Server.
Thank you.
Hi,
I put together the following steps (extracted from the manual):
1. Update the JCE Policy Files to Support High-Strength Cipher Suites
You can add high-strength cipher suites for greater assurance, but first you must update the local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance and security server. You update these policy files by downloading the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.
If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the VMware Horizon View Connection Server service.
The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.
For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the Oracle Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
After you update the policy files, you must create backups of the files. If you upgrade the View Connection Server instance or security server, any changes that you have made to these files might be overwritten, and you might have to restore the files from the backup.
2. Change the Global Acceptance Polices with ADSI Edit
For example: localhost:389 or mycomputer.mydomain.com:389
pae-ServerSSLCipherSuites: \LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256
pae-ServerSSLSecureProtocols_ \LIST:TLSv1.1,TLSv1.2
It is not the highest possible, but they are working with all our clients devices.
This will not Enable Forward Secrecy (If possible) but the other points are covered.
If someone can give a tip to Enable Forward Secrecy, I would appreciate.
Hi,
I put together the following steps (extracted from the manual):
1. Update the JCE Policy Files to Support High-Strength Cipher Suites
You can add high-strength cipher suites for greater assurance, but first you must update the local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance and security server. You update these policy files by downloading the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.
If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the VMware Horizon View Connection Server service.
The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.
For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the Oracle Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
After you update the policy files, you must create backups of the files. If you upgrade the View Connection Server instance or security server, any changes that you have made to these files might be overwritten, and you might have to restore the files from the backup.
2. Change the Global Acceptance Polices with ADSI Edit
For example: localhost:389 or mycomputer.mydomain.com:389
pae-ServerSSLCipherSuites: \LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256
pae-ServerSSLSecureProtocols_ \LIST:TLSv1.1,TLSv1.2
It is not the highest possible, but they are working with all our clients devices.
This will not Enable Forward Secrecy (If possible) but the other points are covered.
If someone can give a tip to Enable Forward Secrecy, I would appreciate.
Hi Guys,
Did anyone manage to fix the following warning?
"The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-"
Or this doesn't needed for VMware View?
Regards,
Mobin
Here's what I'm using that allows me to support Forward Secrecy and everything seems to be working as expected so far.
pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
I'm still getting "Secure Client-Initiated Renegotiation - Supported - DoS DANGER" though. Anyone have any thoughts on that?
Edit: I should note that I am receiving an "A" rating with those ciphers listed.
Thanks for the post. I was able to to get A rating by enabling Forward Secrecy as you mentioned. I can also see the following warnings but rating is A.
Secure Client-Initiated Renegotiation Supported DoS DANGER.
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported
Cheers
Guys,
After making changes I'm unable to connect to VDI using Dell FX100 zero-client
Hardware Version: | Dell_FX100_Board_Rev_5.4 |
---|---|
Firmware Version: | 3.3.0 |
Firmware Build ID: | v321 |
Firmware Build Date: | Feb 4 2011 12:15:07 |
PCoIP Processor Revision: | 1.0 |
Bootloader Version: | 2.1.0 |
Bootloader Build ID: | v163 |
Bootloader Build Date: | Aug 28 2008 16:56:13 |
In View Connection I only made changes to pae-ServerSSLCipherSuites and pae-ServerSSLSecureProtocols . On the Security Server I've made changes to Cipher Suites and Protocols using registry editor. I can see ssllabs A raring but Dell FX100 unable to connetct to VDI.
Can someone please help?
Edited: After applying following changes I was able to connect through Dell FX100 zero client
pae-ServerSSLCipherSuites:
\LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256
pae-ServerSSLSecureProtocols:
\LIST:TLSv1,TLSv1.1,TLSv1.2
But following changes doesn't worked with Dell FX100 zero client
paeServerSSLCipherSuites:
\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
pae-ServerSSLSecureProtocols:
\LIST:TLSv1,TLSv1.1,TLSv1.2
I think I'll have to live with The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
Regards
hermanc01
Hi there, could you possibly re-paste your clientsslciphersuites list please? the list I copied ended in TLS_, and consequently took down a large part of my estate once I changed the certificates used by VMware to CA certs. I don't think the formatting on this page is correct as it chops off the text in long lists.
Thanks
Anthony