Error: "Unsupported cipher suites in OpenSSL 3.0:" after failed LB upgrade pre-check
Article ID: 411282
Updated On:
Products
VMware NSX
Issue/Introduction
- The LB upgrade pre-check output file
/var/log/upgrade-coordinator/lb-precheck-output.txtdisplays the following:
LB pre-check will check whether the certificates, cipher suites or SSL protocols used in LB comply with OpenSSL 3.0. Unsupported cipher suites in OpenSSL 3.0: ... 2) TLS_ECDH_* cipher suites Unsupported SSL protocols in OpenSSL 3.0: - The LB upgrade pre-check output file
/var/log/upgrade-coordinator/lb-precheck-output.txtdisplays the following warnings:
===Category 2: Check Policy cipher suite/SSL protocol warning=== The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols. ==The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API== /infra/lb-monitor-profiles/<Health-check-profile-name> Configured in LB pools: <Pool-name>:/infra/lb-pools/<pool-name>OR
===Category 2: Check Policy cipher suite/SSL protocol warning=== The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols. ==The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API== /infra/lb-monitor-profiles/vrops_monitor Configured in LB pools: vrops_pool:/infra/lbpools/vrops-poolOR
===Category 4: Check MP cipher suite/SSL protocol warning=== The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols. ==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles == nsx-default-client-ssl-profile:<Client-SSL-profile-UUID> Configured in LB virtual servers: <Virtual-Server-Name> ==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles == nsx-default-server-ssl-profile:<Server-SSL-profile-UUID> Configured in LB virtual servers: <Virtual-Server-Name> - There is a LB upgrade pre-check output file created inside the NSX manager (
- This confirmed that default SSL profiles and LB-monitor profile is impacted.
- Further checks on the monitor and SSL profiles confirm that unsupported ciphers are NOT in use, however TLSv1_1 is present in each of the profiles.
=== The impacted LB_Monitor Profile === { "id": { "left": <Left_value>, "right": <Right_value> }, "display_name": "myadtws-hc", "type": "HTTPS", "interval": 5, "timeout": 5, "rise_count": 3, "fall_count": 3, "monitor_port": "443", "https_monitor": { "request_method": "HTTP_METHOD_GET", "request_url": "/citrix/adtstore/discovery", "request_version": "HTTP_VERSION_1_1", "cipher": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ], "protocol": [ "TLS_V1_1", "TLS_V1_2" ], "server_auth": "SERVER_AUTH_IGNORE", "authenticate_depth": 3, "response_code": [ "200" ], "revision": 36 } ==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles == nsx-default-client-ssl-profile:<Client-SSL-profile-UUID> Configured in LB virtual servers: <VS-name:VS_UUID> "_create_time": <create-time>, "_create_user": "system", "_last_modified_time": <last-modified-time>, "_last_modified_user": "system", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": true, "cipher_group_label": "CUSTOM", "ciphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ], "display_name": "nsx-default-client-ssl-profile", "id": <client-SSL-profile-UUID>, "is_fips": true, "is_secure": true, "prefer_server_ciphers": true, "protocols": [ "TLS_V1_1", "TLS_V1_2" ], "resource_type": "LbClientSslProfile", "session_cache_enabled": true, "session_cache_timeout": 300 } ] ==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles == nsx-default-server-ssl-profile:<Server-SSL-profile-UUID> Configured in LB virtual servers: <VS-name:VS_UUID> { "_create_time": <create-time>, "_create_user": "system", "_last_modified_time": <last-modified-time>, "_last_modified_user": "system", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": true, "cipher_group_label": "CUSTOM", "ciphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ], "display_name": "nsx-default-server-ssl-profile", "id": <server-ssl-profile-UUID>, "is_fips": true, "is_secure": true, "protocols": [ "TLS_V1_1", "TLS_V1_2" ], "resource_type": "LbServerSslProfile", "session_cache_enabled": true } ] }, - Further verification can be done from Curl output of the impacted VS and confirmed no unsupported TLS version or ciphers were in use.
Environment
- 4.x, 4.1, 4.2
Cause
- NSX 4.2 moves to OpenSSL3.0 for security considerations. Only TLS_V1_2 is supported.
- Pre-check warning is expected as the impacted SSL profiles contains TLS version 1.1 (unsupported) along with TLS version 1.2 (Supported)
Resolution
- Proceed with the NSX upgrade by acknowledging LB precheck warning.
Additional Information
- For more details on how to remediate this issue, see Remediate NSX load balancer upgrade pre-check failing with message regarding OpenSSL 3.0 compliance
Feedback
Yes
No
Powered by
