10 Replies Latest reply on Jan 27, 2016 9:15 AM by MJoss

    ESXi 5.5 Update 3b (build 3248547) disables SSLv3, older version of vCenter Server can't reconnect host.

    XavierEstevez Novice

      My versions:

      vCenter Server 5.5 Update 2d | 27 JAN 2015 | Build 2442329

      VMware ESXi™ 5.5 Update 3b | 8 DEC 2015 | 3248547

      VMware Product Interoperability Matrixes says that vCenter Server 5.5u2 is a valid combo with ESXi 5.5U3.

       

      The patch for ESXi 5.5u3b / build 3248547 disables SSLv3 (to remediate POODLE SSL vulnerability). VMware ESXi 5.5 Update 3b Release Notes

      i found that after applying the patch to an ESXi host and rebooting it, vCenter could not reconnect the host.

       

      vCenter server's /var/log/vmware/vpx/vpxd.log:

      [timestamp] [[...] error 'HttpConnectionPool-006630'] [ConnectComplete] Connect failed to <cs p:[...], TCP:esxi01.example.com:443>; cnx: (null), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:140000DB:SSL routines:SSL routines:short read)

       

      The steps in VMware KB: Enabling SSLv3 protocol on vSphere 5.5 (hostd section) work to un-break the connectivity of vCenter to the updated ESXi host, but of course that re-enables the vulnerable SSLv3, which is undesired.

       

      Is there a way to make ESXi 5.5 3248547 work with VCSA 5.5u2d 2442329, with both sides avoiding SSLv3?

      Am I correct to assume that updating VCSA to 5.5u3 will change VCSA's SSL version behavior to work without SSLv3?

       

      Thanks!