TLSv1 and SSLv3 support in NSX-V 6.2.4 and NSX-V 6.3.x
search cancel

TLSv1 and SSLv3 support in NSX-V 6.2.4 and NSX-V 6.3.x

book

Article ID: 339138

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • After upgrade to NSX 6.2.4 or later, Edge Services Gateway with Load balancer service facing connections using TLSv1 or SSLv3 version fails to establish.
  • SSL Health Monitor pool members status shows as DOWN,
  • Running the command show service loadbalancer pool on the edge, you see entries similar to :
    > show service loadbalancer pool

    Loadbalancer Pool Statistics:
LB METHOD ip-hash
| LB PROTOCOL L7
| Transparent disabled
| SESSION (cur, max, total) = (0, 56, 5748)
| BYTES in = (63571), out = (153004)
+->POOL MEMBER: vRA_Appliances_Pool/vRA_App_1, STATUS: DOWN
| | HEALTH MONITOR = MONITOR SERVICE, vRA:CRITICAL
| | | LAST STATE CHANGE: 2016-10-01 10:38:27
| | | LAST CHECK: 2016-10-01 10:59:54
| | | FAILURE DETAIL: CRITICAL - Cannot make SSL connection.
| | SESSION (cur, max, total) = (0, 28, 28)
| | BYTES in = (31490), out = (83264)
+->POOL MEMBER: vRA_Appliances_Pool/vRA_App_2, STATUS: DOWN
| | HEALTH MONITOR = MONITOR SERVICE, vRA:CRITICAL
| | | LAST STATE CHANGE: 2016-10-01 10:38:28
| | | LAST CHECK: 2016-10-01 10:59:54
| | | FAILURE DETAIL: CRITICAL - Cannot make SSL connection.
| | SESSION (cur, max, total) = (0, 28, 28)
| | BYTES in = (31265), out = (69740)
 
Note: Supported ciphers can be checked with nmap tool “nmap –script ssl-cert,ssl-enum-ciphers –p <port> <Service_IP>”

Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

Cause

Starting from NSX for vSphere 6.2.4 and later, TLSv1 and SSLv3 support is deprecated on Edge Service Gateways.

Resolution

To force SSL handshake to use TLSv1 or SSLv3, create an application rule to enable TLSv1/SSLv3 with script "tlsv1 enable".
  • Navigate to Network & Security > NSX Edges > Edge-xxx > Manage > Load balancer > Virtual Servers
  • create the application rule by using "tlsv1 enable" in script field.
  • Apply the rule on the virtual server.
To make HTTPs monitors to work with TLSv1/SSLv3 , add extensions with exact version and ciphers.
  • Navigate to Load Balancer > Service Monitoring
  • edit the https monitor and add the extension

    ssl-version=3
    ciphers="ECDHE-RSA-AES256-GCM-SHA384"

Note:
For ssl-version=3 Force SSL handshake using ssl 3
For ssl-version=10 Force SSL handshake using tls 1.0.
For ssl-version=11 Force SSL handshake using tls 1.1.
For ssl-version=12 Force SSL handshake using tls 1.2.



Additional Information



Powered by Wolken Software