Enabling support for SSLv3 in ESXi
search cancel

Enabling support for SSLv3 in ESXi

book

Article ID: 327812

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The SSLv3 support for ESXi 6.0 is disabled by default for all services and ports. You may encounter these errors due to lack of SSLv3 support on these ports:

CIM - Port 5989

The CIM server (sfcbd) stops accepting HTTPS connections and when you run a wbemcli query, you see the error similar to:

[root@galaxy ~]# wbemcli -noverify -cte -nl ei
https://user:[email protected]:5989/root/cimv2:CIM_NumericSensor
*
* wbemcli: Http Exception: SSL connect error
*
[root@galaxy ~]#


In the /var/log/syslog.log file, you see an entry similar to:

<yyyy-mm-dd>T <time>Z sfcb-CIMXML-Processor[nnnnnn]: *** 1920 Error accepting SSL connection -- exiting</time>
SSL Error Stack:
SSL


Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Authd - Port 902

Linked clone pool creation fails due to connection failure between ESXi 6.0 Update 1 and View Composer 6.1.1 with an error message similar to:

SSLv3 handshake was unsuccessful

See the Solution section to enable the required SSLv3 support to resolve these issues.


Resolution

Caution: These steps expose the security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2, available at VMware Downloads. For more information, see VMware Horizon 6 version 6.2 Release Notes.

Follow these steps to enable SSLv3 protocol on hostd service for ESXi 6.0 U1b later.

By default SSLv3 is disabled. If you want to enable SSLv3, set the setting to empty by using the below command:

  1. Login to ESXi through SSH.
  2. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

    Path: /UserVars/VMAuthdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:sslv3
    Default String Value: sslv3
    Valid Characters: *
    Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

  3. If SSLv3 is disabled, To enable SSLv3 is run the following command:

    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""

  4. Restart the rhttpproxy services by running the following command:

    /etc/init.d/rhttpproxy restart

  5. Run the following command to get a list of enabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

    Path: /UserVars/VMAuthdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value: sslv3
    Valid Characters: *
    Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

The SSLv3 support can be enabled for these ports and services:

  • CIM Port 5989
  • Authd Service Port 902

Enabling support for SSLv3 on CIM Port 5989 in ESXi

  1. Create a backup copy of the /etc/sfcb/sfcb.cfg file.

  2. Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:

    enableSSLv3: true

    Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true

    For Example:

    cat /etc/sfcb/sfcb.cfg
    # Generated by sfcb-config.py. Do not modify this header.
    # VMware ESXi 6.0.0 build-3029758
    #
    basicAuthLib: sfcBasicPAMAuthentication
    certificateAuthLib: sfcCertificateAuthentication
    cimXmlFdHardLimit: 1024
    cimXmlFdSoftLimit: 512
    .
    .
    .
    threadStackSize: 524288
    useChunking: true
    sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA
    enableSSLv3: true

  3. Restart the SFCBD service with the command:

    /etc/init.d/sfcbd-watchdog restart

Enabling support for SSLv3 on Authd service 902 in ESXi

  1. Create a backup copy of the /etc/vmware/config file
  2. Edit the /etc/vmware/config file to append the following line at the end of the file:

    vmauthd.ssl.noSSLv3 = "false"

    Note: If you have the line vmauthd.ssl.noSSLv3 = "true" in the file, change it to vmauthd.ssl.noSSLv3 = "false"

    For Example:

    cat /etc/vmware/config
    libdir = "/usr/lib/VMware"
    authd.proxy.nfc = "vmware-hostd:ha-nfc"
    authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
    authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
    authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
    authd.fullpath = "/sbin/authd"
    vmauthd.ssl.noSSLv3 = "false"

  3. Restart the rhttpproxy service with the command:

    /etc/init.d/rhttpproxy restart

Additional Information

For the related Veeam Knowledge Base article, see http://www.veeam.com/kb2063.

For translated versions of this article, see: