VMware Cloud Community
clbyowwc
Contributor
Contributor
‎03-29-2011 06:26 PM

help...ssl certificate issues on vmware 4.1...nessus scan check

I have a problem on our vSphere client machine. evvery 2 weeks nessus scans our servers(including this machine). They found vulnerabilities in this machine and vmservers.

below are the nessus scans:

Vulnerability Report


Scanner: Nessus
Request Date: 2011-03-22 10:52:51
Scan  Date: 2011-03-22 10:55:01
Scanner Host: svms
View Risk Level Limit: Low
Request  By: vms
High: 0 Medium: 2 (2) Low: 37 (28)
No Alert ID Vulnerability Last Detected Risk Level Ticket Status Action
145411https (443/tcp) - Checks that the X509 CN matches the target host2011-03-22 10:55:01
43 day(s) old		MediumJustified
Due: 2011-03-07		Update  Ticket 
Description

Synopsis : 

The SSL certificate for this service is for a different host. 

Description :

The commonName (CN) of the SSL certificate  presented on this port is
for a different machine.

Solution : 

Purchase or generate a proper certificate for this service.

.0 
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin output :

The  following hostnames were checked :
0-103.priv20.nus.edu.sg 



User Remarks
changes made but it may  take time to be restarted...
251192https (443/tcp) - Checks that the certificate chain is signed by a known  public authority2011-03-22 10:55:01
43 day(s) old		MediumJustified
Due: 2011-03-07		Update  Ticket 
Description

Synopsis : 

The SSL certificate for this service is signed by an unknown 
certificate authority.

Description :

The X.509 certificate  of the remote host is not signed by a known
public certificate authority. If  the remote host is a public host in
production, this nullifies the use of  SSL as anyone could establish a
man in the middle attack against the remote  host.

Solution :

Purchase or generate a proper certificate for  this service.

.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin  output :

*** ERROR: Unknown root CA in the chain:
Organization:  VMware Installer

Certificate chain:


User  Remarks
This is the vendors self signed certificate..

These are just examples of what we are encountering. I only justified this so that they will not close our server ports.

PLEASE HELP ME AS SOON AS POSSIBLE.

Thanks,

Rey Limosenero

0 Kudos
2 Replies
Shyam_Dhawale
Contributor
Contributor
‎03-31-2011 04:35 AM

Are you using Embedded ESXi version or installable.

if you using Embedded ESXi the default SSL certificate is generated for localhost.localdomain, to fix SSL vulnerability you need to generate new SSL certificate with correct hostname.

-

Regards,

Shyam Dhawale

0 Kudos
clbyowwc
Contributor
Contributor
‎03-31-2011 06:32 PM

I am new to this VMware ESX or ESXi.

This is what I see:

VMware ESX, 4.1.0,260247

we are running vSsphere Client 4.0 on windowsxp 64

so I guess we are running ESX.

If it is possible can you give me a step by step example how to generate new ssl?where to put this?

Is it the same as using openssl? Or can we use a star ' * ' certificate provided by third party?

0 Kudos