NSX LB upgrade pre-check failed with message regarding "OpenSSL 3.0 compliance"
Article ID: 411282
Updated On:
Products
VMware NSX
Issue/Introduction
- There is a LB upgrade pre-check output file created inside the NSX manager (
/var/log/upgrade-coordinator/lb-precheck-output.txt):This confirmed that default SSL profiles and LB-monitor profile is impacted.
LB pre-check will check whether the certificates, cipher suites or SSL protocols used in LB comply with OpenSSL 3.0.
Unsupported cipher suites in OpenSSL 3.0:
1) TLS_RSA_WITH_3DES_EDE_CBC_SHA
2) TLS_ECDH_* cipher suites
Unsupported SSL protocols in OpenSSL 3.0:
1) SSL_V3
2) TLS_V1_1
3) TLS_V1
===Category 1: Check Policy cipher suite/SSL protocol error===
The impacted LB objects are configured with only unsupported cipher suites/SSL protocols.
No LB objects are impacted.
===Category 2: Check Policy cipher suite/SSL protocol warning===
The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols.
==The LB HTTPS monitors with no SSL profile configured (by default TLS1.1 and TLS1.2) in Policy API==
/infra/lb-monitor-profiles/<Health-check-profile-name>
Configured in LB pools:
<Pool-name>:/infra/lb-pools/<pool-name>
===Category 3: Check MP cipher suite/SSL protocol error===
The impacted LB objects are configured with only unsupported cipher suites/SSL protocols.
No LB objects are impacted.
===Category 4: Check MP cipher suite/SSL protocol warning===
The impacted LB objects are configured with supported and unsupported cipher suites/SSL protocols.
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles ==
nsx-default-client-ssl-profile:<Client-SSL-profile-UUID>
Configured in LB virtual servers:
<Virtual-Server-Name>
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles ==
nsx-default-server-ssl-profile:<Server-SSL-profile-UUID>
Configured in LB virtual servers:
<Virtual-Server-Name>
===Category 5: Check Policy SSL certificate error===
No SSL certificate error is found in LB.
===Category 6: Check MP SSL certificate error===
No SSL certificate error is found in LB.
- Further checks on the monitor and SSL profiles confirm that unsupported ciphers are NOT in use, however TLSv1_1 is present in each of the profiles.
=== The impacted LB_Monitor Profile ===
{
"id": {
"left": <Left_value>,
"right": <Right_value>
},
"display_name": "myadtws-hc",
"type": "HTTPS",
"interval": 5,
"timeout": 5,
"rise_count": 3,
"fall_count": 3,
"monitor_port": "443",
"https_monitor": {
"request_method": "HTTP_METHOD_GET",
"request_url": "/citrix/adtstore/discovery",
"request_version": "HTTP_VERSION_1_1",
"cipher": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
],
"protocol": [
"TLS_V1_1",
"TLS_V1_2"
],
"server_auth": "SERVER_AUTH_IGNORE",
"authenticate_depth": 3,
"response_code": [
"200"
],
"revision": 36
}
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/client-ssl-profiles ==
nsx-default-client-ssl-profile:<Client-SSL-profile-UUID>
Configured in LB virtual servers:
<VS-name:VS_UUID>
"_create_time": <create-time>,
"_create_user": "system",
"_last_modified_time": <last-modified-time>,
"_last_modified_user": "system",
"_protection": "NOT_PROTECTED",
"_revision": 0,
"_system_owned": true,
"cipher_group_label": "CUSTOM",
"ciphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
],
"display_name": "nsx-default-client-ssl-profile",
"id": <client-SSL-profile-UUID>,
"is_fips": true,
"is_secure": true,
"prefer_server_ciphers": true,
"protocols": [
"TLS_V1_1",
"TLS_V1_2"
],
"resource_type": "LbClientSslProfile",
"session_cache_enabled": true,
"session_cache_timeout": 300
}
]
==The impacted LB SSL profiles in MP API /api/v1/loadbalancer/server-ssl-profiles ==
nsx-default-server-ssl-profile:<Server-SSL-profile-UUID>
Configured in LB virtual servers:
<VS-name:VS_UUID>
{
"_create_time": <create-time>,
"_create_user": "system",
"_last_modified_time": <last-modified-time>,
"_last_modified_user": "system",
"_protection": "NOT_PROTECTED",
"_revision": 0,
"_system_owned": true,
"cipher_group_label": "CUSTOM",
"ciphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
],
"display_name": "nsx-default-server-ssl-profile",
"id": <server-ssl-profile-UUID>,
"is_fips": true,
"is_secure": true,
"protocols": [
"TLS_V1_1",
"TLS_V1_2"
],
"resource_type": "LbServerSslProfile",
"session_cache_enabled": true
}
]
},
- Further verification can be done from Curl output of the impacted VS and confirmed no unsupported TLS version or ciphers were in use.
Environment
- VMware NSX
Cause
- Pre-check warning is expected as the impacted SSL profiles contains TLS version 1.1 (unsupported) along with TLS version 1.2 (Supported)
Resolution
- Proceed with the NSX upgrade by acknowledging LB precheck warning.
Additional Information
- Refer this article for more details https://knowledge.broadcom.com/external/article?articleNumber=368005.
Note: NSX 4.2 upgrades to OpenSSL3.0 version for security consideration, and only TLS_V1_2 protocol is supported from NSX 4.2.
Feedback
Yes
No
Powered by
