The SSL protocol 3.0 design error, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attacks (POODLE) Additional information: (CVE-2014-3566) | An unauthorised user who can take a man-in-the-middle (MitM) position can exploit this vulnerability and gain access to encrypted communication between a client and server. | It is recommended to disable SSLv3 support to avoid this vulnerability. |
can anyone help me one this?
Hi,
I assume you are talking about disabling SSLv3 within VMware?
I believe that the current advice as per this KB is to disable SSLv3 in your browser as VMware products use TLS for communication between end points, so adjusting browser settings do not matter. In our organisation this is the process we have adopted, disabling across the board by updating browser versions that address the vulnerability or stopping it within guest O/S completely.
Please see VMware KB: VMware Products and CVE-2014-3566 (POODLE) for information about POODLE and VMware products.
The KB (2092133) VMware KB: VMware Products and CVE-2014-3566 (POODLE) is only related to disabling SSLv3 in the client web browser however from our security report;
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.
Does anyone know how we are able to disable SSLv3 on the server? Is it even possible?
Many thanks,
VCenter 5.5 upd 2e with SRM 5.5.1.5
Well the word has come down from the corporate security gods...it will be done. On Servers, Disable all Auth less than TLS1.1 now a combined PCI and HIPPA requirement. So I opened a ticket with VMWare to confirm a process.
As we move forward there's no doubt security requirements will rise, we have a tendency to be on the almost bleeding edge of the security knife.
What's sad is there seems to be no comprehensive guide from VMWare on critical security configuration practices at this level let alone the certificate discussion. There has to be something on the government side because the server hardening Guide\ excel spreadsheet doesn't cover current needs.
I went to TLS 1.0 on my VCenter and all looked good except it immediately broke the connections with my SRM server.
The following command can be used to confirm connection status from the bin directory of your openssl install
openssl.exe s_client -connect [VMHostFQDn]:443 -ssl3
openssl.exe s_client -connect [VMHostFQDn]:443 -tls1
Now after 3 sessions with support, SRM is SSLv3 dependent so looks like I'm getting a security exception
Regards, DGN
You will probably have to upgrade to SRM 6 and vCenter 6 if you want to use only TLS.
This is from the SRM 6 documentation:
"Previous versions of Site Recovery Manager supported both secure sockets layer (SSL) and TLS connections. This version of Site Recovery Manager only supports TLS, due to weaknesses identified in SSL 3.0."
Hi!! Have u found the way to disable the SSLV3 support and user of TLS on ESXi 5.5
I tried to mention the CipherList on ESXi and that making the VSphere client to fail to connect to the ESXi.
I googled a lot But not useful.
So,Please let me know if you know the steps to disable SSLv3 on ESXi Server and VSphere client.
Hi,
POODLE vulnerability (reported in CVE-2014-3566) was already addressed by patches below in vSphere 5.1/5.5 releases:
ESXi:
VMware KB: VMware ESXi 5.5, Patch ESXi550-201501101-SG: Updates esx-base
VMware KB: VMware ESXi 5.1, Patch ESXi510-201503101-SG: Updates esx-base
VMware KB: VMware ESXi 5.0, Patch ESXi500-201502101-SG: Updates esx-base
vCenter server:
vCenter Server 5.5 Update 2d Release Notes
Starting from vSphere 6.0 Update 1 SSLv3 is disabled by default
for more details see:
vCenter 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u1-release-notes.html
Important Note:
for vCenter SSO 6.0 this applies only to fresh install deployments if you have upraded to this release from older builds you must manually disable SSLv3 for SSO:
VMware KB: Disabling SSLv3 on vCenter Single Sign-On port 7444
ESXi 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-esxi-60u1-release-notes.html
For those who encounter some issues after SSLv3 is disabled see:
VMware KB: Enabling support for SSLv3 in ESXi
Also beware that SRM 5.x releases relies on SSLv3:
For vSphere 5.x releases (ESXi and vCenter server) I would recommend to install existing security patches to cover POODLE vulnerability or to upgrade to vSphere 6.0U1 release instead of
manually hardening affected systems and its services separately as mentioned in these sources:
vCenter SSLv3 disabled kb 2093354
vCenter Server 5.5 Update 2d Release Notes
VMware KB: Enabling support for SSLv3 in ESXi