May 9, 2015 - Sven Huisman

Disable SSLv3 on VMware View Connection servers

You might have missed this VMware KB2094442 from VMware and you might not realise that when you are using VMware Horizon View 6.0.x or older, you could still be using SSLv3 when you enabled the Horizon Blast protocol:

The Secure Gateway, which provides a secure tunnel for carrying RDP and other data over HTTPS, listens on port 443 by default. SSLv3 connections to the secure tunnel are disabled by default.

The Blast Secure Gateway (BSG) provides browser access to View desktops over HTTPS. This gateway listens on port 8443 by default. SSLv3 connections to the BSG are not disabled by default on security server or View Connection Server versions 5.2.x, 5.3.0, 5.3.1, 5.3.2, and 6.0.x. 

Why should you disable SSLv3? Apparently, there has been discovered a vulnarability (back in October 2014) and this vulnerability allows the plaintext of secure connections to be calculated by a network attacker (http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html).

Upgrading VMware Horizon 6.1 solves this issue and disables SSLv3. If you are not upgrading any time soon, you should follow the steps described in the knowledge base article:

You can disable SSLv3 access to the Blast Secure Gateway by editing the absg-config.js file on a security server or View Connection Server instance.

1. On each security server or View Connection Server instance, open the absg-config.js file in a text editor. The file is located in the following path:C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\This path applies to security server or View Connection Server 5.2.x, 5.3.x, and 6.0.x.

2. Add the following line near the beginning of the file:

var constants = require(‘constants’);

For example, you can insert this line around line 5, above the existing line:

exports.load = …

3. Scroll to the getHttps() function, around line 119, and place your cursor just above the existing line:return option;Insert the following two lines:

option.secureProtocol = ‘SSLv23_method’;

  option.secureOptions = constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3;
Screen Shot 2015-05-09 at 21.23.05
The secureOptions attribute disables SSLv2 and SSLv3.  These lines set attributes in the ‘option’ object programmatically.
4.  Restart the VMware Horizon View Blast Secure Gateway service.
5.  Repeat these steps on all security servers and View Connection Server instances in the pod.

Virtual Desktop Horizon / VMware / VMware View /