Hi,
does anybody know how to enable SSLv3 for vmauthd on ESXi 6.5 ? The old "vmware-vdiskmanager" application for some reason insists on using that and I cannot use the one from VDDK 6.5, because it requires SSL certificate thumbprint but does not give any option to specify it from the command line
On ESXi 6.0 it was working fine, but after upgrade to 6.5 the ESXi rejects the connection (just after it receives SSL CLIENT HELLO). In the log I can see that only tls1.2 is allowed:
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
And indeed it does not recognise the protocol when vdiskmanager is tryint to establish SSL:
2017-02-27T20:02:37Z vmauthd[68831]: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: OpenSSL using FIPS_drbg for RAND
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
2017-02-27T20:02:37Z vmauthd[68831]: Connect from remote socket (10.5.0.3:51395).
2017-02-27T20:02:37Z vmauthd[68831]: Connect from 10.5.0.3
2017-02-27T20:02:37Z vmauthd[68831]: SSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-02-27T20:02:37Z vmauthd[68831]: recv() FAIL: 1.
2017-02-27T20:02:37Z vmauthd[68831]: VMAuthdSocketRead: read failed. Closing socket for reading.
2017-02-27T20:02:37Z vmauthd[68831]: Read failed.
I have tried several ways to change it, but without any success:
- add "vmauthd.ssl.noSSLv3 = "false"" to /etc/vmware/config
- set "vmacore/ssl" in /etc/vmware/rhttpproxy/config.xml to "<protocols>SSLv3,tls1.0,tls1.1,tls1.2</protocols>"
- remove "sslv3" from /UserVars/ESXiVPsDisabledProtocols
I am going nuts, is there some other way?
Thanks,
Ondrej
Hi,
here is a KB file that may help you.
Enabling support for SSLv3 in ESXi (2121021) | VMware KB
It is for ESXi Versioin 6. But you could give it a try.
Frank
Hey Ondrej
Were you able to find a solution?
Andrzej
Hi Andrzej,
knowing this is a bit outdated 🙂 I found my own post when dealing with the same issue after few years.
I tried many things including writing my own code with library provided by VMware, but I was not able to achive what I need.
I ended up using simple SCP to copy disk file extracted from OVF and vmkfstools executed over SSH to convert it to the right format. That works well both with ESXi 6.0 and 6.7 that I currently use.
Slightly more info and application doing it (that I use as drop-in replacement of "vmware-vdiskmanager" application) can be found on my GitHub - https://github.com/ondrejholecek/esxi-disk-copy