VMware Horizon Community
Terminatorthree
Contributor
Contributor
‎09-07-2015 03:12 AM

New RSA4096/SHA256 certificate ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Hi,

I had to replace my VMware View Certificate because the old one just expired. I went for RSA4096/SHA256 signed by WoSign for free. After installing the certificate I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome (other browsers don't work as well).

Debug log shows:

[KeyVaultKeyStore] (NetHandler) Failed to get certificate chain for: "vdm"

I already imported intermediate and root certificate. Also tried exporting the whole chain and reimporting .pfx with no success. If I go back to the old certificate I can get a SSL handshake (but of course expired).

Environment:

Windows 2012R2

View 6.2

RSA4096

SHA256

WoSign CA and Intermediate

Thanks for any help

Terminatorthree

Update: According to Java Cryptography Architecture Oracle ProvidersDocumentation SHA256 is not supported by SunJSSE which is used as the SSL Provider by VMware View. Can anybody confirm or disprove this?

5 Replies
roneng
Enthusiast
Enthusiast
‎09-07-2015 01:07 PM

Hello

i cant be sure cause i have not implemented yet, but it seems that by this doc sha256 is supported https://pubs.vmware.com/horizon-62-view/topic/com.vmware.ICbase/PDF/view-62-security.pdf

It might be that the CA is not trusted, i could not find it in the trusted CA on my laptop.

i wonder, does the /admin page work?

0 Kudos
Terminatorthree
Contributor
Contributor
‎09-07-2015 10:33 PM

Hi,

the admin page does not work as well. The webserver does not bind any SSL Certificate to port 443 and thats why clients can't connect. I meanwhile tested with a SHA1/RSA2048 Cert from the same CA and it does not work as well. So it seems VMware View or the JRE beeing used does not like WoSign CA. On a windows level this CA is trusted and on all modern mobile devices as well.

Any idea how I can add trust to the CA for VMware View? I tried manually adding it to Trusted Roots in Windows but it tells me that it's already there. Is there any additional CA Keystore just for VMware View?

0 Kudos
trevorgibson
Contributor
Contributor
‎12-21-2015 10:24 AM

I ran into the same problem. During the certificate import I needed to check 'Mark this key as exportable. This will allow you to back up or transport your keys at a later time.'

I hope this help someone in the future.

joshopper
Hot Shot
Hot Shot
‎12-21-2015 01:17 PM

Only one cert on the server can have the friendly name "vdm" did you remove this friendly name from the other cert?

0 Kudos
fourg
Contributor
Contributor
‎09-29-2016 09:57 AM

My hero!  I've been spinning my wheels with SHA256 cert in a new View 7.0.2 installation and had not installed the cert as exportable at first.  After removing and reinstalling it as exportable it's now working.  Beers are on me.

-Brent

0 Kudos