Enable SSLv3 on ESXi 6.5

vmware-esxi

does anybody know how to enable SSLv3 for vmauthd on ESXi 6.5 ? The old "vmware-vdiskmanager" application for some reason insists on using that and I cannot use the one from VDDK 6.5, because it requires SSL certificate thumbprint but does not give any option to specify it from the command line

On ESXi 6.0 it was working fine, but after upgrade to 6.5 the ESXi rejects the connection (just after it receives SSL CLIENT HELLO). In the log I can see that only tls1.2 is allowed:

2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

And indeed it does not recognise the protocol when vdiskmanager is tryint to establish SSL:

2017-02-27T20:02:37Z vmauthd[68831]: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: OpenSSL using FIPS_drbg for RAND
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
2017-02-27T20:02:37Z vmauthd[68831]: Connect from remote socket (10.5.0.3:51395).
2017-02-27T20:02:37Z vmauthd[68831]: Connect from 10.5.0.3
2017-02-27T20:02:37Z vmauthd[68831]: SSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-02-27T20:02:37Z vmauthd[68831]: recv() FAIL: 1.
2017-02-27T20:02:37Z vmauthd[68831]: VMAuthdSocketRead: read failed.  Closing socket for reading.
2017-02-27T20:02:37Z vmauthd[68831]: Read failed.

I have tried several ways to change it, but without any success:

  • add "vmauthd.ssl.noSSLv3 = "false"" to /etc/vmware/config
  • set "vmacore/ssl" in /etc/vmware/rhttpproxy/config.xml to "SSLv3,tls1.0,tls1.1,tls1.2"
  • remove "sslv3" from /UserVars/ESXiVPsDisabledProtocols

I am going nuts, is there some other way?

Thanks

Best Answer

Are you talking about this:

Backward compatibility of TLS with vSphere 5.5U3. If a vSphere 6.5 customer sets TLS v1.2 authentication as mandatory, backups fail on ESXi 5.5U3 and earlier hosts, with “SSL Exception” errors. The fix is to upgrade those ESXi hosts to 5.5U3e or later. A workaround is to modify one of two configuration files on the VDDK proxy. The /etc/vmware/config or CommonAppDataFolder\config.ini file sets the entire proxy, while $USER/.vmware/config or %USERNAME%\AppData\config.ini sets just one user. Add the following line to the appropriate file: tls.protocols=tls1.0,tls1.1,tls1.2

clipped from https://vdc-download.vmware.com/vmwb-repository/dcr-public/ab4ca212-278a-4221-a4ce-4718dc9370d0/70a0a235-402a-4317-bc7a-b549de00ad3c/vsphere-vddk-65-release-notes.html

Related Topic