ESXi provides Web Based Management (WBEM) services. The process sfcbd provides DMTF standard management CIM-XML protocol API for 3rd party applications. sfcbd opens a configurable TCP port to the network, the default port number is 5989.
This 5989 port uses Secure Sockets Layer (SSL) security. SSL contains a number of different protocols and ciphers to ensure secure/encrypted communication. The protocols SFCB in 6.0.x and 6.5.x supports are sslv3, tls1, tls1.1 and tls1.2. From time to time SSL protocols become weak and are judged to no longer provide acceptable secure communication.
Alternately 3rd party applications which haven't been updated will fail to connect due to configured SSL protocols.
Symptoms:
SSL vulnerability scan tools show SSL protocols that are not deemed safe by the operator on TCP port 5989 Operator finds their management software can not connect to sfcb. Errors from sfcbd in /var/log/syslog displays messages from the syslog identity "sfcb-CIMXML-Processor" such as:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures; color: #bfbfbf; background-color: #0000b3} span.s3 {font-variant-ligatures: no-common-ligatures; color: #afad24}
sfcb-CIMXML-Processor : Error accepting SSL connection
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol