5.3
Table Of Contents
- VMware Horizon View Agent Direct-Connection Plugin Administration
Disabling Weak Ciphers in SSL/TLS
You can ensure that View Client to View desktop communications that use SSL/TLS protocol do not allow
weak cryptographic ciphers by using this View desktop hardening procedure.
The configuration for disabling weak ciphers is stored in the Windows registry. Changes to these settings
must be done on all desktop operating systems that run View Agent Direct-Connection Plugin.
NOTE These settings affect all use of SSL/TLS on the operating system.
Both SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT 56-bit Export Cipher Suites For TLS
draft-ietf-tls-56-bit-ciphersuites-00.txt provide options to use different cipher suits. Each cipher suite
determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS
session.
Prerequisites
You need to have experience editing Windows registry keys using the Regedt32.exe registry editor.
Procedure
u
Start Registry Editor Regedt32.exe, and locate this registry
key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
What to do next
Table 2‑2. Cipher Suites Updates
Windows XP SP3 Windows Vista and Later
1
In subkey\Ciphers\DES 56/56 add a DWORD value
Enabled with a value of 0x0.
2
In subkey\Hashes\MD5 add a DWORD value Enabled
with a value of 0x0.
These updates ensure that only the following ciphers are
available on Windows XP SP3:
n
SSLv3 168 bits DES-CBC3-SHA
n
SSLv3 128 bits RC4-SHA
n
TLSv1 168 bits DES-CBC3-SHA
n
TLSv1 128 bits RC4-SHA
1
In subkey \Hashescreate a subkey MD5.
2
In subkey \Hashes \MD5add a DWORD value
Enabled with a value of 0x0.
These updates ensure that only the following ciphers are
available on Windows Vista and later:
n
SSLv3 168 bits DES-CBC3-SHA
n
SSLv3 128 bits RC4-SHA
n
TLSv1 256 bits AES256-SHA
n
TLSv1 128 bits AES128-SHA
n
TLSv1 168 bits DES-CBC3-SHA
n
TLSv1 128 bits RC4-SHA
Replacing the Default Self-Signed SSL Server Certificate
A self-signed SSL server certificate cannot give View Client sufficient protection against threats of
tampering and eavesdropping. To protect your desktops from these threats, you must replace the generated
self-signed certificate.
When View Agent Direct-Connection Plugin starts for the first time after installation, it automatically
generates a self-signed SSL server certificate and places it in the Windows Certificate Store. The SSL server
certificate is presented to View Client during the SSL protocol negotiation to provide information to the
client about this View desktop. This default self-signed SSL server certificate cannot give guarantees about
this desktop, unless it is replaced by a certificate signed by a Certificate Authority (CA) that is trusted by the
client and is fully validated by the View Client certificate checks.
The procedure for storing this certificate in the Windows Certificate Store and the procedure for replacing it
with a proper CA signed certificate, are the same as those used for View Connection Server (version 5.1 or
later). See "Configuring SSL Certificates for View Servers," in the VMware Horizon View Installation
document for details on this certificate replacement procedure.
VMware Horizon View Agent Direct-Connection Plugin Administration
12 VMware, Inc.