SSL verification in vixDiskLib_Clone

cyberpaul · ‎02-28-2017

Hi everyone,

I am using VDDK 6.5 and thanks to VixDiskLibConnectParams.thumbPrint I am able to connect to vCenter even when there are some certificate errors (in my lab there are several).

I can vixDiskLib_Read, Write etc. However when I call vixDiskLib_Clone, I get errors even with thumbPrint set:

Warning: SSL: Unknown SSL Error

Warning: SSL: connect failed (1)

Warning: [NFC ERROR] NfcNewAuthdConnectionEx: Failed to connect to peer. Error: The remote host certificate has these problems:

Warning: * Host name does not match the subject name(s) in certificate.

Warning: * unable to get local issuer certificate

Is there a way to bypass these errors? I do not understand why the should the cloning function connect to peer anyway - the connection has already been made in vixDiskLibConnect, hasn't it?

Thanks in advance for your ideas!

Pavel

cyberpaul · ‎03-01-2017

Heck, I'll just answer to myself...

Futher investigation shows that VixDiskLib_Clone establishes connection not with vCenter (which has been already established by ConnectEx at this point), but rather with ESXi hosting selected VM. It is the Client -> ESXi connection that is failing, not a Client -> vCenter one. AFAIK there is no way how to pass ESXi's SSL thumbPrint to VixDiskLib_Clone() so in VDDK 6.0 and newer the Clone() function will work only with valid host certificates.

Obvious workaround would be to avoid vCenter entirely and use VDDK to connect directly to ESXi using SSL thumbPrint of the ESXi. I tried that and it's working, but impractical - one would need credentials for every ESXi.

I reverted to VDDK 5.5.4 and use the "verifyCertificates=0" option. I regret the time I spent with VDDK 6.5 and I regret wasting a day with this SSL nonsense. Who the hell uses valid certificates on ESXi hosts?

Pavel

cyberpaul · ‎02-17-2018

Resolved in VDDK 6.5.2. Cloning function no longer requires valid host certificates.

All

SSL verification in vixDiskLib_Clone