"ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error when accessing vCloud Director
Article ID: 328531
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- When accessing vCloud Director 9.7 using the fully qualified domain name (FQDN) you encounter the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- Accessing vCloud Director with IP address works successfully
- WIthin the cell-runtime.log on the vCloud Director cell you see the following handshake error
2019-04-04 00:22:49,029 | DEBUG | pool-jetty-13 | HttpEngineStartupAction | handshake failed | javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
Cause
This issue occurs as the SSL certificate keystore on the vCloud Director cell is shared by the HTTPS engine and PostgreSQL.
As a result it stops being able to process HTTPS requests that come in to the FQDN due to additional security measures applied by the Server Name Indication (SNI) extension of the TLS protocol.
As a result it stops being able to process HTTPS requests that come in to the FQDN due to additional security measures applied by the Server Name Indication (SNI) extension of the TLS protocol.
Resolution
This is a known issue with vCloud Director 9.7 GA.
This issue is resolved in 9.7.0.1 and later releases of vCloud Director.
vCloud Director 9.7.0.1 and later releases are available via VMware Downloads .
Workaround:
To workaround this issue it is recommended to deploy a load balancer in front of the VCD cell(s) and configure SSL termination to occur on the load balancer. As SSL termination occurs on a load balancer the issue doesn’t occur as IP is used to communicate with the cells in the back-end.
This issue is resolved in 9.7.0.1 and later releases of vCloud Director.
vCloud Director 9.7.0.1 and later releases are available via VMware Downloads .
Workaround:
To workaround this issue it is recommended to deploy a load balancer in front of the VCD cell(s) and configure SSL termination to occur on the load balancer. As SSL termination occurs on a load balancer the issue doesn’t occur as IP is used to communicate with the cells in the back-end.
Feedback
Yes
No
Powered by
