Weak SSL protocols disabled after upgrade
search cancel

Weak SSL protocols disabled after upgrade

book

Article ID: 336890

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

ESXi will turn off/disable weak ssl protocols. This causes existing 3rd party applications that haven't been updated to use strong ssl protocols to fail to connect due to the configured SSL protocols.
 
  • ESXi provides Web Based Management (WBEM) services.
  • The process sfcbd provides DMTF standard management CIM-XML protocol API for 3rd party applications.
  • sfcbd opens a configurable TCP port to the network, the default port number is 5989.
  • This 5989 port uses Secure Sockets Layer (SSL) security.
  • SSL contains a number of different protocols and ciphers to ensure secure/encrypted communication.
  • From time to time SSL protocols become weak and are judged to no longer provide acceptable secure communication.
  • After upgrading ESXi to release third party management CIM/WS-Man systems fail to connect to ESXi.
  • In the /var/log/syslog.log file, you see entries similar to:

    sfcb-CIMXML-Processor: Error accepting SSL connection
    sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
    sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number

 

 

Environment

7.x & 8.x.

 

Cause

  • When a client process connects to TCP/5989 port, SSL will negotiate which protocol to use. These protocols are sslv3, tls1.0, tls1.1 and tls1.2.
  • Except for TLS1.2 the other protocols are considered weak. Third-party applications that are not updated may attempt to continue using weak SSL protocols and fail to connect to ESXi WBEM services.

Resolution

To resolve this issue,VMware strongly advises upgrading 3rd party applications so that they use TLS 1.2.

Note: If the user upgrades the ESXi with MD5 config to latest, MD5 config will be removed and user need to update/regenerate their v3 users. For more information see ESXi upgrade operation will trigger a VOB stating "Upgrade detected a weak crypto protocol (MD5)" .

Additional Information

To see configured state of WBEM services, from ESX Shell:

# esxcli system wbem get

WbemAgentConfig:

Authorization Model: password

CIM Object Manager PID: 0

Enabled: false

Enabled SSL Protocols: <<< -- nothing configured in sfcb.cfg removed on upgrade for SFCB itself

Enabled System SSL Protocols: tls12 <<-- system settings for all VMware Web based services

Log level: warning

Port: 5989

Service Location Protocol PID: 0

WS-Management PID: 0

 

WS-Management Service: true

If weak ssl protcols are still required, they can be enabled from command line:
 

# esxlci system wbem set --protocols sslv3,tls1,tls11

# esxcli system wbem get

WbemAgentConfig:

Authorization Model: password

CIM Object Manager PID: 0

Enabled: false

Enabled SSL Protocols: sslv3, tls1, tls11, tls12 <<<== only tcp/5989 now has weak ssl protocols

Enabled System SSL Protocols: tls12

Log level: warning

Port: 5989

Service Location Protocol PID: 0

WS-Management PID: 0

WS-Management Service: true




Powered by Wolken Software