VMware Cloud Community
veemsis
Contributor
Contributor

Does esxi 5.5 U3 and vCenter 5.5 supports TLS 1.2?

Hello all,

I was searching for a few hours, and I know that TLS works on 5.5 however cannot find information on TLS version. Do you know if ESXi 5.5 U3 (3343343) and vCenter 5.5 support TLS version 1.1 or 1.2?

I appreciate any help

Thanks

7 Replies
vThinkBeyondVM
VMware Employee
VMware Employee

Please refer this: VMware ESXi 5.5 Update 3b Release Notes

VMware vCenter Server 5.5 Update 3b Release Notes

I will come back with some more details@TLS for the build number you specified.


----------------------------------------------------------------
Thanks & Regards
Vikas, VCP70, MCTS on AD, SCJP6.0, VCF, vSphere with Tanzu specialist.
https://vThinkBeyondVM.com/about
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.

Reply
0 Kudos
Dev09
Enthusiast
Enthusiast

TLS1.1/1.2 is not supported by ESX 5.5 U3 and vCenter 5.5.

Reply
0 Kudos
veemsis
Contributor
Contributor

At least one of them must be according to documentation ...

Reply
0 Kudos
Dev09
Enthusiast
Enthusiast

vSphere 55EP09 build#3343343 doesn't support the TLS1.1/TLS1.2.

Only TLS1.0 protocol by default supported by vSphere55U3b onward. However customer can enable SSLv3 using configuration.

veemsis
Contributor
Contributor

Sorry for the late reply, could you point out some kind of VMware documentation where it is written?

Because I am wondering, when connecting to the ESXi webserver, browser recognizes TLS 1.2.

Of course browsers aren't the best tools for gathering system information.

I would appreciate if you could share how did you find out about tls version (documentation, security scan)

Thanks in advance


Karol

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso

"Does esxi 5.5 U3 and vCenter 5.5 supports TLS 1.2?"

The answer is yes and no. First of all, vCenter and ESXi consist of many different services, SSL/TLS-enabled socket listeners, client-initiating connection components etc. A lot of these do not use a common SSL/TLS library, but actually different implementations (namely openssl and Java JSSE). In some cases even with different versions on the same system for different components.

In short: It's a real mess.

I did a scripted scan of my Windows vCenter 5.5 U3b (build 3252642) and here's what the result looks like:

Port 443 vpxd - VMware VirtualCenter - supports: TLS 1.0

Port 7444 java - Java(TM) Platform SE binary - supports: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2

Port 8084 - vmware-updatemgr - VMware vSphere Update Manager Service - supports: TLS 1.0

Port 8191 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 8443 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 9087 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 9443 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 10109 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 10443 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 11712 - vmdird - VMware Directory Service - supports: TLS 1.0

Port 12443 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 31100 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 32100 java - Java(TM) Platform SE binary - supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 443, which is the important central connection point for everything related to the vCenter API (including ESXi host to vCenter communication) only supports TLS 1.0, as do two other components.

The SSO service even still has SSLv3 enabled by default when you upgrade:

VMware KB: Enabling SSLv3 protocol on vSphere 5.5

Install: TLS protocols are enabled and SSLv3 disabled.

Upgrade: All protocols are enabled including SSLv3.

Scan of an ESXi 5.5 U3b (build 3343343) host:

Port 443 - rhttpproxy-work supports: TLS 1.0, TLS 1.1, TLS 1.2

Port 5989 - sfcb-HTTPS-Daemon supports: TLS 1.0, TLS 1.1, TLS 1.2

5.5 Pre-U3b ESXi hosts also support SSLv3 on port 443.

Port 902 (authd, VM console connections etc) is a bit harder to test, since it doesn't use plain SSL/TLS, but rather a STARTTLS-like implementation, but it should support TLS 1.2 as well.

The above are the server-side components. As you can see, most support TLS 1.0, 1.1 and 1.2.

This however does not answer how the client-side components really interact with these services. They could very well open TLS 1.0 connections to services that support 1.2 as well if the client library only supports 1.0 (or is misconfigured etc).

Here's what I observed from packet traces between a 5.5 U3b host and vCenter:

vCenter (vpxd process) to ESXi:443 - TLS 1.0 only even though the ESXi supports TLS 1.2

vCenter (java process) to ESXi:902 - TLS 1.0 only even though the ESXi supports TLS 1.2

vCenter (java process) to ESXi:5989 - TLS 1.0 only even though the ESXi supports TLS 1.2

So while the server supports TLS 1.2, vCenter doesn't actually use it.

Backward compatibility to older hosts is not a valid excuse here. If a server does not support a more recent TLS version the client is offering, it just falls back to its highest available version. The connection fails only if the client does not support this older version at all.

On a side note, ESXi and vCenter 5.5 U3b still support useless client-initiated TLS renegotiation which can be exploited to create a DoS situation by eating up CPU cycles on the server.

Over a year ago I wrote the VMware Security Response Team about it with PoC code. (For the curious: a custom patch for the THC SSL Renegotiation DoS Tool similar to this one I wrote for SMTP-STARTTLS: THC SSL Renegotiation DoS Tool for SMTP STARTTLS)

They replied they'll look into it and confirmed "a partial DoS" but after that I've never heard back from them since even though I asked for a status.

-- http://alpacapowered.wordpress.com
veemsis
Contributor
Contributor

Thank you very much for satisfying answer !

Reply
0 Kudos