The SSLv3 support for ESXi 6.0 is disabled by default for all services and ports. You may encounter these errors due to lack of SSLv3 support on these ports:

CIM - Port 5989

The CIM server (sfcbd) stops accepting HTTPS connections and when you run a wbemcli query, you see the error similar to:

[root@galaxy ~]# wbemcli -noverify -cte -nl ei
https://user:[email protected]:5989/root/cimv2:CIM_NumericSensor
*
* wbemcli: Http Exception: SSL connect error
*
[root@galaxy ~]#

In the /var/log/syslog.log file, you see an entry similar to:

<yyyy-mm-dd>T <time>Z sfcb-CIMXML-Processor[nnnnnn]: *** 1920 Error accepting SSL connection -- exiting</time>
SSL Error Stack:
SSL

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Authd - Port 902

Linked clone pool creation fails due to connection failure between ESXi 6.0 Update 1 and View Composer 6.1.1 with an error message similar to:

SSLv3 handshake was unsuccessful

See the Solution section to enable the required SSLv3 support to resolve these issues.

VMware Horizon View 

Caution: These steps expose the security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2. 

Follow these steps to enable SSLv3 protocol on hostd service for ESXi 6.0 U1b later.

By default SSLv3 is disabled. If you want to enable SSLv3, set the setting to empty by using the below command:

1. Login to ESXi through SSH.

2. Run the following command to get a list of disabled protocols for hostd:

esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

Path: /UserVars/VMAuthdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:sslv3
Default String Value: sslv3
Valid Characters: *
Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

3. If SSLv3 is disabled, To enable SSLv3 is run the following command:

esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""  

4. Restart the rhttpproxy services by running the following command:

/etc/init.d/rhttpproxy restart

5. Run the following command to get a list of enabled protocols for hostd:

esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

Path: /UserVars/VMAuthdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:
Default String Value: sslv3
Valid Characters: *
Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

The SSLv3 support can be enabled for these ports and services:

CIM Port 5989
Authd Service Port 902

Enabling support for SSLv3 on CIM Port 5989 in ESXi

1. Create a backup copy of the /etc/sfcb/sfcb.cfg file.

2. Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:

enableSSLv3: true

Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true

For Example:

cat /etc/sfcb/sfcb.cfg
# Generated by sfcb-config.py. Do not modify this header.
# VMware ESXi 6.0.0 build-3029758
#
basicAuthLib: sfcBasicPAMAuthentication
certificateAuthLib: sfcCertificateAuthentication
cimXmlFdHardLimit: 1024
cimXmlFdSoftLimit: 512
.
.
.
threadStackSize: 524288
useChunking: true
sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA
enableSSLv3: true

3. Restart the SFCBD service with the command:

/etc/init.d/sfcbd-watchdog restart

Enabling support for SSLv3 on Authd service 902 in ESXi

1. Create a backup copy of the /etc/vmware/config file
2. Edit the /etc/vmware/config file to append the following line at the end of the file:

vmauthd.ssl.noSSLv3 = "false"

Note: If you have the line vmauthd.ssl.noSSLv3 = "true" in the file, change it to vmauthd.ssl.noSSLv3 = "false"

For Example:

cat /etc/vmware/config
libdir = "/usr/lib/VMware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"
vmauthd.ssl.noSSLv3 = "false"

3. Restart the rhttpproxy service with the command:

/etc/init.d/rhttpproxy restart

Additional Information