VMware Cloud Community
DyJohnnY
Enthusiast
Enthusiast

ESXi 5.5 webinterface - how to disable SSL v3

Hi,

In the wake of the Poodle vulnerability, our security teams have flagged our ESXi hosts for using SSLv3 for the traffic going over the web-interface, on port 443.

Is there any way to disable the use of SSL v3 in the ESXi web server? I've looked for KBs explaining how to do this, but I found nothing.

I also had a quick look on  the advanced settings and there was nothing there.

Am I missing something really obvious?

Thank you,

Ionut

IonutN
Reply
0 Kudos
5 Replies
mstefani77
Contributor
Contributor

I've got a ticket into VMware asking the same.  Qualys flagged all our hosts as vulnerable, but the VMware KB article makes it sound like more of a client side vulnerability then a server side. 

Reply
0 Kudos
gg608f
Contributor
Contributor

Is there any patch which contain the fix already available ?

Thanks

Reply
0 Kudos
vNEX
Expert
Expert

Hi,

regarding this CVE the POODLE attack is an attack against the client browser NOT against the server side...

So only one way at this time to mitigate this issue is disabling SSL v3 in your browser.(this would enforce the client-server communication to TLS)

For more info see:

VMware KB: VMware Products and CVE-2014-3566 (POODLE)

Quick Notes:

VMware is planning to phase out the support of SSL v3 in its products during the next available maintenance releases.


_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
Reply
0 Kudos
rek3
Contributor
Contributor

Hi all,

Just a heads up I've been waiting for a patch for some time as well for both the vCenter server and ESXi. I just tried the vCenter update 2e that was just released and unfortunately they didn't do anything about it in this release either nevermind for ESXi...

Reply
0 Kudos
Bleeder
Hot Shot
Hot Shot

It's fixed with 6.0.  That pretty much forced me to upgrade (in order to maintain PCI DSS compliance).

Reply
0 Kudos