How to remediate NSX load balancer upgrade pre-check failing with message regarding OpenSSL 3.0 compliance
search cancel

How to remediate NSX load balancer upgrade pre-check failing with message regarding OpenSSL 3.0 compliance

book

Article ID: 368005

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

You see a message similar to the following from the load balancer upgrade pre-checks:

"Found data inconsistencies: There are unsupported certificates, SSL cipher suites or protocols found in LB objects. They are not in compliance with OpenSSL 3.0 starting from NSX version 4.2."

Environment

NSX 4.2

Cause

NSX 4.2 upgrades to OpenSSL3.0 for security considerations. OpenSSL3.0 (by default security level 1 and FIPS on) has stricter requirements for the cipher suite/SSL protocol/certificate used in SSL connections. 

OpenSSL3.0 validates:

  1. Certificate:
    1. 1024 key size cert is no longer supported.
    2. SHA1, MD5 cert are not allowed.
  2. Cipher suite:
    1. 3DES cipher suites are not supported.
    2. ECDH- cipher suites are not supported.
  3. SSL protocol:
    1. SSLv3 TLS1.1 TLS1.0 protocols are not supported

Resolution

In case of an upgrade pre-check warning or error, the attached document provides detailed instructions needed to update your NSX configuration and pass the NSX upgrade pre-check.

Attachments

NSX OpenSSL Upgrade – NSX LB impact.pdf get_app
Powered by Wolken Software