Disabling SSLv3 protocol for VMware Authentication Proxy - Port 51915
search cancel

Disabling SSLv3 protocol for VMware Authentication Proxy - Port 51915

book

Article ID: 336040

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

VMware Authentication Proxy uses IIS for hosting services, where insecure protocols like SSLv3 are used to maintain connections with the clients (ESXi host).

See the solution section for steps to disable SSLv3 and enable secure protocols like TLS 1.1 and TLS 1.2


Environment

VMware vCenter Server 6.0.x

Resolution

The SChannel registry configuration is used to disable SSL 3.0, and weak ciphers on IIS.

Follow the steps below to disable the insecure protocols used by IIS:

  1. Open the Registry Editor on the server where the VMware Authentication Proxy is installed and run it as an administrator.
  2. Navigate to the following location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
  3. In the navigation tree, right-click on Protocols, and click New > Key.
  4. Enter SSL 3.0 as the key name.
  5. Right-click on SSL 3.0, and click New > Key to create a SSL 3.0 key.
  6. Name the SSL 3.0 key as Client.
  7. Repeat step 5 to create another SSL 3.0 key and name it as Server.
  8. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 1 as the data value.
    • Click OK.
  9. Right-click on the Server key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 0 as the value data.
    • Click OK.

  10. Restart the server

To enable protocols such as TLS 1.1 and TLS 1.2, follow the steps listed above to create Client and Server keys under the required protocols. Under the Client and Server keys, add the DWORD (32-bit) values for DisabledByDefault and Enabled as 0 and 1 respectively as shown in the example below.

  • SCHANNEL\Protocols\TLS 1.1\Client
  • DWORD "Enabled" = 1
  • DWORD "DisabledByDefault" = 0
  • SCHANNEL\Protocols\TLS 1.1\Server
  • DWORD "Enabled" = 1
  • DWORD "DisabledByDefault" = 0

For more information on disabling other protocols and cipher suites, please refer https://support.microsoft.com/en-us/kb/245030

Additional Information

For translated versions of this article, see:
Powered by Wolken Software