Deploying an OVF to vSphere from Artifactory fails due to mismatched ciphers
Article ID: 317098
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
Deploying OVF's to vSphere(ESXi) can fail due to mismatched ciphers.
Deploying OVF's to vSphere(ESXi) can fail due to mismatched ciphers.
- This can occur when deploying from various sources (Terraform/Ansible/API) to vSphere when using Artifactory as a source..
- The error seen in logs will be similar to:
com.vmware.vsphere.client.provisioning.ovf.OvfSessionError: Transfer failed: Server not trusted: Received fatal alert: handshake_failure.
Environment
VMware ESXi 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.7.x
Cause
Newer versions of Artifactory may contain different ciphers for SSL communication. Content Library maintains a list of approved ciphers and the handshake succeeds only if the target supports one of these. For example, in vCenter 6.7 p01, here is the list of approved ciphers:
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" "TLS_DH_RSA_WITH_AES_256_CBC_SHA" "TLS_DH_DSS_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_AES_256_CBC_SHA" "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" "TLS_RSA_WITH_AES_128_CBC_SHA" "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" "TLS_DH_RSA_WITH_AES_128_CBC_SHA" "TLS_DH_DSS_WITH_AES_128_CBC_SHA"
Resolution
To resolve this issue, you will need to use one of the supported ciphers in Artifactory or upgrade to a version of vSphere that contains compatible ciphers. For more information on default ciphers in vSphere 7.0, click HERE .
Feedback
Yes
No
Powered by
