Enabling and disabling SSLv3 in VMware NSX Edge SSL VPN Services version 6.1.4 and later
search cancel

Enabling and disabling SSLv3 in VMware NSX Edge SSL VPN Services version 6.1.4 and later

book

Article ID: 336456

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

The article provides information about enabling and disabling SSLv3 in NSX Edge SSL VPN Services. In VMware NSX for vSphere 6.1.4 and later, you may disable SSLv3 in NSX Edge SSL VPN as a measure to help address the SSLv3/POODLE vulnerability in NSX. For more information, see VMware Products and CVE-2014-3556 (POODLE)(2092133).

Environment

VMware NSX for vSphere 6.1.x

Resolution

Note: VMware NSX for vSphere 6.1.4 includes updates that address the POODLE vulnerability in NSX components not covered in this article. VMware strongly recommends upgrading to NSX 6.1.4 or later. For more information, see the NSX 6.1.4 Release Notes.

Disable SSLv3 Support on NSX Edge SSL VPN Services:

To disable SSLv3 support in NSX Edge SSL VPN in your environment, use the sslVersionList parameter in the following API call to deny SSLv3 (and to allow the desired SSL versions) on each NSX Edge.
 
API Method:
 
PUT https://<nsxmgr-ip>/api/4.0/edges/<edge-id>/sslvpn/config/server/
 
Example request body:
 
In this example, we enable TLSv1, TLSv1_2, and TLSv1_1, and we disable SSLv3 by omitting it from the sslVersionList:
 
<serverSettings>
<serverAddresses>
<ipAddress>x.x.x.x</ipAddress>
</serverAddresses>
<port>443</port>
<sslVersionList>
<version>TLSv1</version>
<version>TLSv1_2</version>
<version>TLSv1_1</version>
</sslVersionList>
<cipherList>
<cipher>RC4-MD5</cipher>
<cipher>AES128-SHA</cipher>
<cipher>AES256-SHA</cipher>
<cipherDES-CBC3-SHA</cipher>
</cipherList>
</serverSettings>
 
If the sslVersionList parameter is blank, all SSL versions including SSLv3 are allowed.
 

Enable SSLv3 Support on NSX Edge SSLVPN Services:

To re-enable SSLv3 support in NSX Edge SSL VPN, use the sslVersionList parameter in the following API call to allow SSLv3 and other desired encryption protocols on each NSX Edge.
 
API Method:
 
PUT https://<nsxmgr-ip>/api/4.0/edges/<edge-id>/sslvpn/config/server/
 
Example request body:
 
In this example, we enable SSLv3, TLSv1, TLSv1_2, and TLSv1_1:
 
<serverSettings>
<serverAddresses>
<ipAddress>x.x.x.x</ipAddress>
</serverAddresses>
<port>443</port>
<sslVersionList>
<version>SSLv3</version>
<version>TLSv1</version>
<version>TLSv1_2</version>
<version>TLSv1_1</version>
</sslVersionList>
<cipherList>
<cipher>RC4-MD5</cipher>
<cipher>AES128-SHA</cipher>
<cipher>AES256-SHA</cipher>
<cipherDES-CBC3-SHA</cipher>
</cipherList>
</serverSettings>
 
If the sslVersionList parameter is blank, all SSL versions including SSLv3 are allowed.
Powered by Wolken Software