VMware Cloud Community
babbtong
Contributor
Contributor

vCenter SSLv3 disabled kb 2093354

Hello all,

About 2 months ago, I got the directive to disable SSLv3 on our servers.  I was able to find the kb2093354 in the vmware documentation center, and followed those instructions in disabling SSLv3 for both the web client and thick client.  I am now integrating VEEAM into our infrastructure, and it appears it communicates with vCenter via the VDDK.  The current version of the VDDK that VEEAM uses is less than the 5.5.4 version, which only supports SSLv3.  I noticed in our logs that hotadd is not working, and I get a SSLException error from the VixDiskLib with a failure to connect to <cs p:0000000001287bc0, TCP: vcenter hostname:443>.  I was going to try and re-enable SSLv3 on the vCenter just to test and see if that's the culprit, but it appears that the kb was taken down.  Does anybody know how to revert the changes back?  I remember that they were 2 files in the directory that needed to be configured, I was able to figure out the web client on port 9443 was the tomcat-server.xml file but I can't remember about the thick client/port 443??

Reply
0 Kudos
4 Replies
babbtong
Contributor
Contributor

I think I found it, it was c:\programdata\vmware\vmware virtualcenter\vpxd.cfg

There's a line <sslversion>tlsv1</sslversion>

Does anybody know what I should make it?  I really should have made a backup of this file, d'oh!

Reply
0 Kudos
babbtong
Contributor
Contributor

removing that line did the trick

Reply
0 Kudos
Ted_O_
Contributor
Contributor

Do you remember what section of the vpxd.cfg and tomcat-server.xml files you updated?  I have a requirement to disable SSLv3 myself and want to see if it works, but as you pointed out the KB article was taken down.  So in my case I want to add the setting, not remove it, but since you've done both I'm hoping you can help me out?


Thx!

Reply
0 Kudos
babbtong
Contributor
Contributor

I'll have to doublecheck, but in the vpxd.cfg file, under the <ssl> </ssl> section, add a line that I THINK says <sslEnabled> tlsv1 </sslEnabled>.  I can't really remember if it was sslEnabled, sslProtocolEnabled, or something like that.  I'll have to check and update this later, won't be back in the office til Tuesday.

For the tomcat-server.xml file, it's just like a Tomcat file.  So you add sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" to the file where you see the connector for the 9443 port.

EDIT:  The correct line is <sslVersion>tlsv1</sslVersion>

Just be careful, you might find some unexpected behavior cropping up like we did.  We were able to connect using the clients and everything just fine, but Veeam failed to hotadd until we enabled both sslv3 AND tlsv1

Reply
0 Kudos