VMware Cloud Community
PatrickChia
Contributor
Contributor
‎05-19-2015 03:33 AM

Disabling SSLV2 and SSLV3 for ESXI 4.0, 4.1, 5.1 and 5.5

Hi,

I'm new to this forum. Can anyone help me on this? I need to know where to get patches or updates for ESXI 4.0, 4.1, 5.1 and 5.5 for disabling SSLV2 and SSLV3.

If there is no updates available for old versions like ESXI 4.0 and 4.1. Can you kindly show me how to disable SSLV2 and SSLV3 via command line using root account. Thanks alot.

Tags (1)
0 Kudos
4 Replies
RyanH84
Expert
Expert
‎05-19-2015 03:37 AM

Hi,

All the information you need to know about addressing the SSLV3 issues of recent months is to take a look at the VMware KB Article on POODLE

The main points are under the resolution, which states that you should disable SSLv3 capability in your browser. This will not affect VMware products as they support TLS.

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
0 Kudos
aprosnik
Contributor
Contributor
‎11-16-2015 09:04 AM

SSLv3 is coming up in internal scans when being audited by IT firms.  It doesn't matter if the "fix" is to use a browser that doesn't use SSLv3, the problem is that these hosts are showing up like bright red flares on audit reports that get sent to boards of directors and, in regulated industries, the parent regulatory body.  That has real consequences for the business.

Here's some info that may actually help others:  ESXi 5.5 - Disable SSL3 : vmware

The trick is to try and find a config that will disable as many of the bad ciphers as possible while still working with VMWare's own tools.  I found the same config in ESXi 4.1 in /etc/vmware/hostd/config.xml

I don't know why this information is so hard to get on public forums.  People throw up VMWare's "It's not our problem!" KBs as a "solution" and the only ones who lose out are the customers.

0 Kudos
aprosnik
Contributor
Contributor
‎11-16-2015 10:19 PM

Ok, so I did this in the location mentioned in the thread I linked:

<useCompression>false</useCompression>

<cipherList>TLSv1.2:+HIGH:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL</cipherList>

The hosts are running:

VMWare ESXi 4.1.0 build 1682698

/etc/vmware/hostd # esxupdate query

------Bulletin ID------- -----Installed----- -------------------Summary--------------------

hpq-esxi4.1uX-bundle-1.1 2011-03-31T11:26:48 HP ESXi 4.1 Bundle 1.1

hp-nmi-driver-1.2.02     2011-03-31T11:27:30 HP NMI Sourcing Driver for VMware ESX/ESXi 4.1

ESXi410-Update01         2012-12-26T09:04:57 VMware ESXi 4.1 Complete Update 1

ESXi410-Update02         2012-12-26T09:06:53 VMware ESXi 4.1 Complete Update 2

ESXi410-Update03         2012-12-26T09:06:53 VMware ESXi 4.1 Complete Update 3

ESXi410-201312402-BG     2014-02-04T21:11:52 Updates VMware Tools

ESXi410-201404401-SG     2014-06-23T22:06:45 Updates Firmware

vSphere Client 4.1.0 Build 799345

vCenter Server Appliance 5.5.0.30100 Build 3154314

vSphere Web Client Version 5.5.0 Build 3154316

So far I am able to connect everything just fine.  I have to get a test run to see if the cipherList actually did anything.  Perhaps all the components are still running because the config.xml edits didn't do anything.  I'll post back if this actually did something.

0 Kudos
Jitu211003
Hot Shot
Hot Shot
‎12-24-2017 10:21 PM

Hi,

I saw your reply. I am facing same issue.

I have a request to enable TLS 1.2 on my ESXi 5.0 & Vcenter server 5.0.

How to do that in a safe way. Please guide.

Thanks

Jitendra

0 Kudos