VMware {code} Community
matta993
Contributor
Contributor
‎06-26-2017 10:10 AM

Disabled TLS 1.0 on vCenter 6.0U3

I have been attempting to utilize the new default TLS settings in vCenter version 6.0U3 as outlined in the release notes:

VMware vCenter Server 6.0 Update 3 Release Notes

The goal is to permit customers to connect external devices for use with our web client plugin without enabling TLS 1.0 of course. Unfortunately, no external devices can be connected without first enabling 1.0 on the external device. To check the TLS settings, I downloaded the TLS reconfiguration tool, ran a scan and compared the results to a scan of a functional 6.5 vCenter that indeed permits exclusion of TLS 1.0 device connections. The only difference was 6.0 permitted 1.0, 1.1, 1.2 for the web client service, and was limited to 1.1 and 1.2 for vCenter 6.5. I used the reconfiguration tool successfully remove 1.0 and retried the connections, which again were denied unless I enabled 1.0 on the external device. I have attached a screenshot of the reconfiguration tool scan command. Thanks in advance for any hints. Matt A.

Screen Shot 2017-06-23 at 3.39.23 PM.png

0 Kudos
4 Replies
tganchev
VMware Employee
VMware Employee
‎07-05-2017 02:03 AM

Hi Matt,

This forum is specifically for questions about the vSphere Client SDK. You'd get more answers if you post the question on the general vSphere community.

Can you help us understand the issue you are experiencing in more details:

- Is the problem specific to the Web Client? Are you only re-configuring TLS 1.0 on the Client?

- What are the external devices - browsers, proxies?

- When testing the connectivity do you go to port 9443 for the web client or you go to 443 (https://your-vc/vsphere-client)?

Thanks,

Tony

0 Kudos
matta993
Contributor
Contributor
‎07-05-2017 07:51 AM

Thanks for your reply:

I will also look for answers in the general community, but this is actually relevant to our web client plug-in being developed with the SDK.

The connections are with networked storage systems via the java service component of our plug-in. The java service closely follows the examples provided in the SDK and related documentation. The presumption is that this utilizes 9443.

The storage systems can toggle TLSv1.0, 1.1, 1.2 enablement on or off. Beginning with the latest software release for the storage system, 1.0 is disabled by default. We were hoping to support vCenter versions of 6.0 (6.0U3) and 6.5 with our latest plug-in release with the same configurations to use the disabled state of 1.0 on the storage systems. For some reason this works for 6.5, but not 6.0U3. If TLSv1.0 is enabled on the storage system, then everything works with 6.0.

Thanks again,

Matt

0 Kudos
tganchev
VMware Employee
VMware Employee
‎07-07-2017 04:52 AM

Thanks Matt. Yes, this is the right community.

Is it your plugin's Java layer that connects to the storage systems? What are the ciphers that the latter support - can you run an SSL scan?

The biggest change between vSphere 6.0 and 6.5 is switching from JRE 1.7 to 1.8. JRE 1.7 does not enable TLSv1.1 and v1.2 by default (for outgoin) yet they still can be enabled at config or runtime after we confirm that this is the problem.

0 Kudos
AntonStoyanov
VMware Employee
VMware Employee
‎01-20-2018 08:17 AM

Hi, Did you find an answer to your question?

6.0 U3 should be TLS 1.2 compliant..

Do you want to work with me to find what is the problem?

0 Kudos