VMware Horizon Community
justanothernewg
Contributor
Contributor
‎05-25-2015 06:13 PM

Horizon client SSL error

I'm using Horizon Client, 3.3.0 build-2507564, and getting an SSL error when attempting a CAC login to the target site.  I am presented the banner, prompted for my certificate, prompted for my PIN, and then I get this error after putting in my PIN:

Error: An SSL error occurred

I have the SSL setting set to "Warn before connecting to untrusted servers", but I get no such warning.  I've tried all three configuration options for this SSL setting but none seems to resolve the issue.  It doesn't appear to be a certificate/security issue.  Other folks using the same version of Horizon client and using CAC authentication are not having this issue.  I've tried reinstalling ActivClient which hasn't helped either.


Any ideas?

Tags (4)
22 Replies
larsonm
VMware Employee
VMware Employee
‎01-28-2016 11:51 AM

Yes. 

With the locked.properties configured to use only TLSv1.1, it works fine.  When I configure the locked.properties to use only TLSv1.2, I get an SSL error.

There's an old KB on this issue.  6.2 is not listed, but that doesn't always matter, as the KB hasn't been updated since 2014.

0 Kudos
Mplane
Contributor
Contributor
‎09-01-2016 05:26 AM

Thank you! My problem is with the error is solved!
I added to the registry on the client:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ VMware, Inc. \ VMware VDM \ Client \ Security]
"SSLCipherList" = "SSLv3: TLSv1: TLSv1.1: AES: RC4-SHA:! ANULL: @STRENGTH"


0 Kudos
BBannerHulk
Contributor
Contributor
‎03-15-2017 04:15 PM

I'm not sure if this solution will work for others but I had this issue after applying specific crypto hardening for SSL, TLS, etc.  The solution was quiet simple but hard to pinpoint.

Delete the following dword value if it exists:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

"Enabled"

Mine was set to 0xffffffff which is supposed to be enabled but it seems that the VMWare Horizon Client freaks out and throws an SSL error if it's set.  The Windows default is enabled so deleting the key is the same and setting it to enabled.  For whatever reason, as soon the Horizon Client see's that there is no "Enabled" dword value for PKCS set, everything runs just fine.

The attached reg file will also delete the value.

Windows.SCHANNEL.Security2.reg