May 9, 2015 - Sven Huisman
Disable SSLv3 on VMware View Connection servers
You might have missed this VMware KB2094442 from VMware and you might not realise that when you are using VMware Horizon View 6.0.x or older, you could still be using SSLv3 when you enabled the Horizon Blast protocol:
The Secure Gateway, which provides a secure tunnel for carrying RDP and other data over HTTPS, listens on port 443 by default. SSLv3 connections to the secure tunnel are disabled by default.
The Blast Secure Gateway (BSG) provides browser access to View desktops over HTTPS. This gateway listens on port 8443 by default. SSLv3 connections to the BSG are not disabled by default on security server or View Connection Server versions 5.2.x, 5.3.0, 5.3.1, 5.3.2, and 6.0.x.
Why should you disable SSLv3? Apparently, there has been discovered a vulnarability (back in October 2014) and this vulnerability allows the plaintext of secure connections to be calculated by a network attacker (http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html).
Upgrading VMware Horizon 6.1 solves this issue and disables SSLv3. If you are not upgrading any time soon, you should follow the steps described in the knowledge base article:
You can disable SSLv3 access to the Blast Secure Gateway by editing the absg-config.js file on a security server or View Connection Server instance.
2. Add the following line near the beginning of the file:
var constants = require(‘constants’);
For example, you can insert this line around line 5, above the existing line:
exports.load = …
option.secureProtocol = ‘SSLv23_method’;
The secureOptions attribute disables SSLv2 and SSLv3. These lines set attributes in the ‘option’ object programmatically.