User Tools

Site Tools


virtualization:vmware:sslv3

Enabling support for SSLv3 in ESXi (2121021)

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2121021

Details

The SSLv3 support for ESXi 6.0 is disabled by default for all services and ports. You may encounter these errors due to lack of SSLv3 support on these ports:

CIM - Port 5989

The CIM server (sfcbd) stops accepting HTTPS connections and when you run a wbemcli query. You see the error similar to:

  [root@galaxy ~]# wbemcli -noverify -cte -nl ei
  https://user:password@192.168.240.5:5989/root/cimv2:CIM_NumericSensor
  *
  * wbemcli: Http Exception: SSL connect error
  *
  [root@galaxy ~]#

In the /var/log/syslog.log file, you see an entry similar to:

  <yyyy-mm-dd>T <time>Z sfcb-CIMXML-Processor[nnnnnn]: *** 1920 Error accepting SSL connection -- exiting
  SSL Error Stack:
  SSL

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Authd - Port 902

Linked clone pool creation fails due to connection failure between ESXi 6.0 Update 1 and View Composer 6.1.1 with an error message similar to:

  SSLv3 handshake was unsuccessful

See the solution section to enable the required SSLv3 support to resolve these issues. Solution

Caution: The following steps will expose security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2. For more information, see Release Notes for VMware Horizon 6 version 6.2. Download the latest version at My VMware.

The SSLv3 support can be enabled for these ports and services:

  CIM Port 5989
  Authd Service Port 902 

Enabling support for SSLv3 on CIM Port 5989 in ESXi

  Create a backup copy of the /etc/sfcb/sfcb.cfg file.
  Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:
  enableSSLv3: true
  Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true
  For Example:
  [root@blr7-7th-dhcp-45-136:~] cat /etc/sfcb/sfcb.cfg
  # Generated by sfcb-config.py. Do not modify this header.
  # VMware ESXi 6.0.0 build-3029758
  #
  basicAuthLib: sfcBasicPAMAuthentication
  certificateAuthLib: sfcCertificateAuthentication
  cimXmlFdHardLimit: 1024
  cimXmlFdSoftLimit: 512
  .
  .
  .
  threadStackSize: 524288
  useChunking: true
  sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA
  enableSSLv3: true
  Restart the SFCBD service with the command:
  /etc/init.d/sfcbd-watchdog restart 

Enabling support for SSLv3 on Authd service 902 in ESXi

  Create a backup copy of the /etc/vmware/config file
  Edit the /etc/vmware/config file to append the following line at the end of the file:
  vmauthd.ssl.noSSLv3 = false
  Note: If you have the line vmauthd.ssl.noSSLv3 = true in the file, change it to vmauthd.ssl.noSSLv3 = false
  For Example:
  [root@w1-fiqabj-003:~] cat /etc/vmware/config
  libdir = "/usr/lib/VMware"
  authd.proxy.nfc = "vmware-hostd:ha-nfc"
  authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
  authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
  authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
  authd.fullpath = "/sbin/authd"
  vmauthd.ssl.noSSLv3 = false
  Restart the rhttpproxy service with the command:
  /etc/init.d/rhttpproxy restart 
virtualization/vmware/sslv3.txt · Last modified: 2015/10/19 20:24 by 127.0.0.1