VMware Horizon Community
justanothernewg
Contributor
Contributor

Horizon client SSL error

I'm using Horizon Client, 3.3.0 build-2507564, and getting an SSL error when attempting a CAC login to the target site.  I am presented the banner, prompted for my certificate, prompted for my PIN, and then I get this error after putting in my PIN:

Error: An SSL error occurred

I have the SSL setting set to "Warn before connecting to untrusted servers", but I get no such warning.  I've tried all three configuration options for this SSL setting but none seems to resolve the issue.  It doesn't appear to be a certificate/security issue.  Other folks using the same version of Horizon client and using CAC authentication are not having this issue.  I've tried reinstalling ActivClient which hasn't helped either.


Any ideas?

Tags (4)
22 Replies
pengwang
VMware Employee
VMware Employee

Do you have set IE proxy in your host? and can you please confirm if enabled TLSv1.2 in the sslcipherlist GPO(policies\VMware,Inc.\VMware VDM\Client\Security\sslcipherlist) in client host?

Reply
0 Kudos
justanothernewg
Contributor
Contributor

No proxy host set within IE.

These are the TLS1.2 ciphers defined in GPO:

TLS 1.2 SHA256 and SHA384 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_NULL_SHA256

TLS 1.2 ECC GCM cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

The smartcard doesn't support TLSv1.2 protocol at this time in client 3.3, could you please try if the issue can be resolve after removed TLSv1.2 from the cipherlist?

Reply
0 Kudos
justanothernewg
Contributor
Contributor

I modified the cipher list to only include these SSL v2,3, and TLS v1.0 and 1.1 ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_MD5

SSL_CK_RC4_128_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5

I'm still getting the same SSL error.  Restarted the client, then restarted the workstation. 

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

Please confirm if you remove the TLSv1.2 protocol rather than ciphersuite, no need to restart client host. Could you please tell me the cipher string setting in your GPO? so that we can see if there is problem in your cipher strings configuration.

Reply
0 Kudos
justanothernewg
Contributor
Contributor

I also tried disabling TLS 1.2 from Internet Explorer settings, and it had no effect.  Here's the string I put into the SSL cipher suite order:

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_NULL_MD5

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

Client has own GPO below, could you please config it to see if it works? (please remove WOW6432Node if your host is 32-bit OS.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\VMware VDM\Client\Security]

"SSLCipherList"="TLSv1:TLSv1.1:AES:!aNULL:@STRENGTH"

Reply
0 Kudos
justanothernewg
Contributor
Contributor

Using regedit, VMware, Inc.\VMware VDM\Client\Security did not exist under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies so I created it and the following string:

Value name: SSLCipherList

Value data:  TLSv1:TLSv1.1:AES:!aNULL:@STRENGTH

I'm still getting the same SSL error.

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

OK, so it might be not the cipher related, Could you please attach the following information?

1.provide the card model

2.Follow the steps below to generate/Attach the client debug logs

1. Run command to change log level

- C:\XXX\VMware Horizon View Client\DCT\support.bat loglevels

- Input “3” to choose “View Trace” log level

2. Launch view client and reproduce the problem

3. Use DCT to collect all view client log, here're 2 options to achieve that:

- Command: after quit client, run the command C:\XXX\VMware Horizon View Client\DCT\support.bat

- UI: after reproducing the issue, quit the client and re-launch client UI, find 'Support Information' from the drop-down menu on the toolbar option button and then click 'Collect Support Data' on that dialog

Reply
0 Kudos
justanothernewg
Contributor
Contributor

The card model is Oberthur ID One 128 v5.5

Attached is the client log after increasing log level and attempting a login.

Reply
0 Kudos
anthony2005
Contributor
Contributor

I have a similar problem.

I administer two sites with VMware Horizon 6 deployed. Both sites I set up the same way. However, at one login via smart card (used Rutoken) operating normally, and the other gives exactly the same error as the author of the discussion.

What logs would help solve the problem?

Reply
0 Kudos
kleakso
Contributor
Contributor

i have the same issue.

the most interesting that from different ISPs i got different results.... (from some i can connect, from other i got an error)

also my android devices not working..

can you pls point where to look in order to solve a problem?

Reply
0 Kudos
FelixYan
VMware Employee
VMware Employee

Hi justanothernewguy,

The client log shows that your cert could not be verified by broker side:

2015-05-26 07:27:53.017+-5:00 DEBUG (1794) [libcdk] BasicHTTP: curl (TEXT) on request 0382DA38: error:14099004:lib(20):func(153):reason(4)

2015-05-26 07:27:53.017+-5:00 DEBUG (1794) [libcdk] BasicHTTP: curl (TEXT) on request 0382DA38: Closing connection 1

1) If your cert is issued by a root CA or intermediate CA?

2) Client 3.5/3.51 has just released, could you please try with that version?

3) Could you collect the broker full levels logs?

Thanks,

Felix

Reply
0 Kudos
zhenK
VMware Employee
VMware Employee

Hi ,

For android client, we have the following suggestions.

(1) First,  I suggest you to upgrade the android client to 3.5 . 

(2) If it would still exist, you can replugin the usb smart card .

(3) Maybe you can try to restart the connection server if convenient.


Thanks

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

Hi Users,

The issue can not reproduce in house and it is difficult to troubleshooting from the current information you provided, could you please contact the VMware technical support to open a ticket if you still got the issue against the latest client? Thanks!

Reply
0 Kudos
larsonm
VMware Employee
VMware Employee

Is smartcard authentication using only TLS v1.2 supported in Horizon View Connection Server 6.2.1 with Horizon View Client 3.5.2?

Reply
0 Kudos
pengwang
VMware Employee
VMware Employee

No, TLSv1.1 and 1.0 should be supported also.

Reply
0 Kudos
larsonm
VMware Employee
VMware Employee

Thanks for the reply.  If you don't mind, I'd like to ask a follow up question to ensure I'm understanding.

Our goal is to restrict client and server to TLSv1.2 while using smartcard authentication.  In a previous post, it seems that you say this is unsupported.  Is this now a supported configuration?

Reply
0 Kudos
cyberfed2727
Enthusiast
Enthusiast

Have you ensured that you have properly loaded all the necessary root and intermediate CA certs onto the View Connection server (MMC Snapin - Certs) as well as added them to your java key store and your locked.properties file is configured correctly? That jammed us up for a bit we had to add our new CA certs into our java key store. We were getting the same generic SSL error message on the Horizon View client.

For us only newer employee's badges were having the issue while older employee badges worked fine. We just had to add the updated certs to MMC/Java Keystore then all cards could authenticate.

Reply
0 Kudos