VMware Cloud Community
ohox
Contributor
Contributor
‎02-27-2017 12:07 PM

SSLv3 in ESXi 6.5

Hi,

does anybody know how to enable SSLv3 for vmauthd on ESXi 6.5 ? The old "vmware-vdiskmanager" application for some reason insists on using that and I cannot use the one from VDDK 6.5, because it requires SSL certificate thumbprint but does not give any option to specify it from the command line Smiley Sad

On ESXi 6.0 it was working fine, but after upgrade to 6.5 the ESXi rejects the connection (just after it receives SSL CLIENT HELLO). In the log I can see that only tls1.2 is allowed:

2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2

2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)

2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

And indeed it does not recognise the protocol when vdiskmanager is tryint to establish SSL:

2017-02-27T20:02:37Z vmauthd[68831]: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL

2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.

2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.

2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.

2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.

2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.

2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: OpenSSL using FIPS_drbg for RAND

2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2

2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)

2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

2017-02-27T20:02:37Z vmauthd[68831]: Connect from remote socket (10.5.0.3:51395).

2017-02-27T20:02:37Z vmauthd[68831]: Connect from 10.5.0.3

2017-02-27T20:02:37Z vmauthd[68831]: SSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

2017-02-27T20:02:37Z vmauthd[68831]: recv() FAIL: 1.

2017-02-27T20:02:37Z vmauthd[68831]: VMAuthdSocketRead: read failed.  Closing socket for reading.

2017-02-27T20:02:37Z vmauthd[68831]: Read failed.

I have tried several ways to change it, but without any success:

- add "vmauthd.ssl.noSSLv3 = "false"" to /etc/vmware/config

- set "vmacore/ssl" in /etc/vmware/rhttpproxy/config.xml to "<protocols>SSLv3,tls1.0,tls1.1,tls1.2</protocols>"

- remove "sslv3" from /UserVars/ESXiVPsDisabledProtocols 

I am going nuts, is there some other way?

Thanks,

Ondrej

0 Kudos
3 Replies
JimKnopf99
Commander
Commander
‎02-28-2017 02:51 AM

Hi,

here is a KB file that may help you.

Enabling support for SSLv3 in ESXi (2121021) | VMware KB

It is for ESXi Versioin 6. But you could give it a try.

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
AndrzejBan
Contributor
Contributor
‎02-05-2018 02:59 AM

Hey Ondrej

Were you able to find a solution?

Andrzej

0 Kudos
ohox
Contributor
Contributor
‎11-23-2021 05:00 AM

Hi Andrzej,

knowing this is a bit outdated 🙂 I found my own post when dealing with the same issue after few years.

I tried many things including writing my own code with library provided by VMware, but I was not able to achive what I need.

I ended up using simple SCP to copy disk file extracted from OVF and vmkfstools executed over SSH to convert it to the right format. That works well both with ESXi 6.0 and 6.7 that I currently use.

Slightly more info and application doing it (that I use as drop-in replacement of "vmware-vdiskmanager" application) can be found on my GitHub - https://github.com/ondrejholecek/esxi-disk-copy

0 Kudos