Invoking SDDC Manager APIs fails from Windows 2012 client due to CBC Ciphers deprecated in VCF 4.2.1 release
search cancel

Invoking SDDC Manager APIs fails from Windows 2012 client due to CBC Ciphers deprecated in VCF 4.2.1 release

book

Article ID: 336408

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This article describes the steps to add support for CBC ciphers in SDDC Manager


Symptoms:

If the client uses the Windows ciphers, VCF public API can fail with the below similar error:
The request was aborted: Could not create SSL/TLS secure channel.


Environment

VMware Cloud Foundation 4.2

Cause

CBC ciphers were removed in VCF 4.2 to keep up with the latest security guidelines.

Resolution

Resolution yet to be confirmed.

Workaround:

Below are the steps to add & support CBC ciphers in nginx.conf in SDDC Manager appliance.

1. ssh to sddc manager
2. login to root account of sddc manager by running su -
3. Run below shell script:

#!/bin/bash

set -e

if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
  exit
fi

echo "Enabling RSA CBC ciphers for HTTPS connections"
cp -p /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
sed -i "s/ssl_ciphers.*/ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
echo "Reloading required services"

systemctl reload nginx
echo "Success"


Attachments

Script get_app