Need to Disable SSL V3 - How can I disable it? Is it required?

The SSL protocol 3.0 design error, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attacks (POODLE) Additional information: (CVE-2014-3566)An unauthorised user who can take a man-in-the-middle (MitM) position can exploit this vulnerability and gain access to encrypted communication between a client and server.It is recommended to disable SSLv3 support to avoid this vulnerability.
Regards, ABFS
8 Replies

can anyone help me one this?

Regards, ABFS
0 Kudos
RyanH84
Expert
Expert

Hi,

I assume you are talking about disabling SSLv3 within VMware?

I believe that the current advice as per this KB is to disable SSLv3 in your browser as VMware products use TLS for communication between end points,  so adjusting browser settings do not matter. In our organisation this is the process we have adopted, disabling across the board by updating browser versions that address the vulnerability or stopping it within guest O/S completely.

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
0 Kudos
peetz
Leadership
Leadership

Please see VMware KB: VMware Products and CVE-2014-3566 (POODLE) for information about POODLE and VMware products.

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos
davemacgb
Contributor
Contributor

The KB (2092133) VMware KB: VMware Products and CVE-2014-3566 (POODLE)  is only related to disabling SSLv3 in the client web browser however from our security report;

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Does anyone know how we are able to disable SSLv3 on the server? Is it even possible?

Many thanks,

0 Kudos
digitalnomad
Enthusiast
Enthusiast

VCenter 5.5 upd 2e with SRM 5.5.1.5

Well  the word has come down from the corporate security gods...it will be done. On Servers, Disable all Auth less than TLS1.1 now a combined PCI and HIPPA requirement. So I opened a ticket with VMWare to confirm a process.

As we move forward there's no doubt security requirements will rise, we have a tendency to be on the almost bleeding edge of the security knife.

What's sad is there seems to be no comprehensive guide from VMWare on critical security configuration practices at this level let alone the certificate discussion. There has to be something on the government side because the server hardening Guide\ excel spreadsheet doesn't cover current needs.

I  went to TLS 1.0 on my VCenter and all looked good except it immediately broke the connections with my SRM server.

The following command can be used to confirm connection status from the bin directory of your openssl install

openssl.exe s_client -connect [VMHostFQDn]:443 -ssl3

openssl.exe s_client -connect [VMHostFQDn]:443 -tls1

Now after 3 sessions  with support,  SRM is SSLv3 dependent  so looks like I'm getting a security exception

Regards, DGN

0 Kudos
Bleeder
Hot Shot
Hot Shot

You will probably have to upgrade to SRM 6 and vCenter 6 if you want to use only TLS.

This is from the SRM 6 documentation:

"Previous versions of Site Recovery Manager supported both secure sockets layer (SSL) and TLS connections. This version of Site Recovery Manager only supports TLS, due to weaknesses identified in SSL 3.0."

0 Kudos
shashikanthB
Contributor
Contributor

Hi!! Have u found the way to disable the SSLV3 support and user of TLS on ESXi 5.5

I tried to mention the CipherList on ESXi and that making the VSphere client to fail to connect to the ESXi.

I googled a lot But not useful.

So,Please let me know if you know the steps to disable SSLv3 on ESXi Server and VSphere client.

0 Kudos
vNEX
Expert
Expert

Hi,

POODLE vulnerability (reported in CVE-2014-3566) was already addressed by patches below in vSphere 5.1/5.5 releases:

ESXi:

VMware KB: VMware ESXi 5.5, Patch ESXi550-201501101-SG: Updates esx-base

VMware KB: VMware ESXi 5.1, Patch ESXi510-201503101-SG: Updates esx-base

VMware KB: VMware ESXi 5.0, Patch ESXi500-201502101-SG: Updates esx-base

vCenter server:

vCenter Server 5.5 Update 2d Release Notes

Starting from vSphere 6.0 Update 1 SSLv3 is disabled by default

for more details see:

vCenter 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u1-release-notes.html

Important Note:
for vCenter SSO 6.0 this applies only to fresh install deployments if you have upraded to this release from older builds you must manually disable SSLv3 for SSO:

VMware KB: Disabling SSLv3 on vCenter Single Sign-On port 7444

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2131310&sl...

ESXi 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-esxi-60u1-release-notes.html

For those who encounter some issues after SSLv3 is disabled see:

Mware KB: vCenter Server fails to start after upgrading the F5 BIG-IP hardware load balancer to 11.5...

VMware KB: Linked Clone pool creation and recompositon fails with VMware Horizon View 6.1.x and olde...

VMware KB: Enabling support for SSLv3 in ESXi

Also beware that SRM 5.x releases relies on SSLv3:

VMware KB: VMware vCenter Site Recovery Manager Server service fails to start after changing securit...

For vSphere 5.x releases (ESXi and vCenter server) I would recommend to install existing security patches to cover POODLE vulnerability or to upgrade to vSphere 6.0U1 release instead of

manually hardening affected systems and its services separately as mentioned in these sources:

vCenter SSLv3 disabled kb 2093354

Security/POODLE - Tomcat Wiki

vCenter Server 5.5 Update 2d Release Notes

VMware KB: Enabling support for SSLv3 in ESXi

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.