Last Updated: 9/9/2015 subscribe
 Details
To remediate the security issues described in CVE-2015-4000 ("Logjam"), the VMware Security Engineering, Communications, and Response group (vSECR) recommends removing the two vulnerable cipher suites and replacing them with two cipher suites that work only with TLSv1.2. This task can be performed on the following components:
  • For Horizon clients, including Horizon Client for Windows, Linux, Mac OS X, iOS, and Android, you modify the cipher string used and you can enable TLSv1.2.
  • For View Connection Server instances and their paired security servers, you modify the global acceptance and proposal policies set on the server hosts.
  • For Windows machines on which View Agent and View Composer are installed, you set a domain group policy (GPO) or local group policy.
This KB describes how to perform these remediation tasks. This KB pertains to the following versions of View components:
  • Horizon Client 3.x for Windows, Linux, Mac OS X, iOS, and Android.
  • View Connection Server and security server versions 5.2.x, 5.3.x, 6.0.x, and 6.1.x. Earlier releases cannot support TLSv1.1 or TLSv1.2. For these earlier releases, see KB 2039340 for guidance on editing cipher suites, and do not include the two cipher suites with names that have the following ending: _SHA256.
  • View Agent and View Composer versions 5.2.x, 5.3.x, 6.0.x, and 6.1.x, installed on Windows Vista or later operating systems. The remediation steps cannot be performed on Windows XP machines.
 Solution

For Horizon Clients

To configure the cipher suites and protocols used by the client, you must follow the client-specific procedure described in the applicable Using VMware Horizon Client document. The procedure is described in the topic about configuring advanced SSL options. For example, for iOS clients, see the topic called "Configure Advanced SSL Options." For Windows clients, the topic is called "Configuring Advanced SSL Options." The Using VMware Horizon Client guides for all types of clients are available at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
This procedure applies to Horizon Client for Windows, Linux, Mac OS X, iOS, and Android. As part of this procedure, VMware recommends enabling the TLSv1.2 protocol because it is much stronger than earlier versions. Note, however that smart cards do not work with the TLSv1.2 protocol in the currently released versions of Horizon Clients.
Cipher strings are used for configuring the cipher suites. Use the procedure for configuring advanced SSL options to change the cipher string to one of the following strings:
  • For Mac OS X, iOS, Android, and Linux clients, change the cipher string to:

    !aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH

    Also enable TLSv1.2 if you do not need to use smart cards for authentication.

  • For Windows clients, the string includes both the cipher suites and the protocols. Therefore, to include TLSv1.2 as an enabled protocol, use the string:

    TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH

    If users must use smart cards for authentication, omit TLSv1.2: because smart cards do not currently work with that protocol in Horizon Client.

For View Connection Server Instances and Paired Security Servers

The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all View Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any View Connection Server instance.
For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide. Note that although these links point to the 6.1 version of the guide, the topics are the same as those in the 5.2/5.3 and 6.0 versions of the guide.
  1. Change the pae-ClientSSLSecureProtocols attribute and the pae-ServerSSLSecureProtocols attribute as follows:

    pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"

    pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"


    This setting enables TLSv1.2 by default, to make use of the new cipher suites you will be adding when you set the next attributes.

  2. Change the pae-ClientSSLCipherSuites attribute and the pae-ServerSSLCipherSuites attribute as follows:
pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA"

pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA"


Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.
Also note that the last cipher suite shown in the list, SSL_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.
To add 256-bit versions of the cipher suites, follow the instructions in the topic JCE Policy Files to Support High-Strength Cipher Suites in the View Security guide.

For View Agent and View Composer Installed in Windows Machines

You can perform the following procedure if the View Agent component or View Composer component is installed in a Windows Vista or later operating system. This procedure is not supported on Windows XP systems.
To enable the correct cipher suites using the GPO Editor:
Note: The list of cipher suites in the following procedure applies equally to SSL client mode and SSL server mode.
  1. Open a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
  2. Expand Computer ConfigurationAdministrative TemplatesNetworkSSL Configuration Settings.
  3. Under SSL Configuration Settings, double-click SSL Cipher Suite Order.
  4. In the SSL Cipher Suite Order window, click Enabled.
  5. In the Options pane, double-click to highlight the entire contents of the SSL Cipher Suites text box and replace its contents with the following cipher list:

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_RC4_128_SHA


    Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.

    Also note that the last cipher suite shown in the list, TLS_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.
  6. Click OK.
  7. Close the Group Policy Object Editor and restart the system.
To enable the TLSv1.2 protocol using the Windows Registry Editor:
  1. On the Windows Vista or later machine where View Agent or View Composer is installed, open the Windows Registry Editor ( regedit.exe).
  2. Navigate to
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  3. Create the following keys (if they do not already exist) and set values as shown in the following table.

    Key (Location)NameTypeData
    \SSL 2.0\ClientEnabledREG_DWORD0
    \SSL 2.0\ServerEnabledREG_DWORD0
    \SSL 3.0\ClientEnabledREG_DWORD0
    \SSL 3.0\ServerEnabledREG_DWORD0
    \TLS 1.1\ClientDisabledByDefaultREG_DWORD0
    \TLS 1.1\ServerDisabledByDefaultREG_DWORD0
    \TLS 1.2\ClientDisabledByDefaultREG_DWORD0
    \TLS 1.2\ServerDisabledByDefaultREG_DWORD0

Additional Information

For translated versions of this article, see:
 Request a Product Feature
To request a new product feature, please contact your VMware representative.