VMware vSphere

can anyone help me one this?

Hi,

I assume you are talking about disabling SSLv3 within VMware?

I believe that the current advice as per this KB is to disable SSLv3 in your browser as VMware products use TLS for communication between end points,  so adjusting browser settings do not matter. In our organisation this is the process we have adopted, disabling across the board by updating browser versions that address the vulnerability or stopping it within guest O/S completely.

Please see VMware KB: VMware Products and CVE-2014-3566 (POODLE) for information about POODLE and VMware products.

The KB (2092133) VMware KB: VMware Products and CVE-2014-3566 (POODLE)  is only related to disabling SSLv3 in the client web browser however from our security report;

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Does anyone know how we are able to disable SSLv3 on the server? Is it even possible?

Many thanks,

VCenter 5.5 upd 2e with SRM 5.5.1.5

Well  the word has come down from the corporate security gods...it will be done. On Servers, Disable all Auth less than TLS1.1 now a combined PCI and HIPPA requirement. So I opened a ticket with VMWare to confirm a process.

As we move forward there's no doubt security requirements will rise, we have a tendency to be on the almost bleeding edge of the security knife.

What's sad is there seems to be no comprehensive guide from VMWare on critical security configuration practices at this level let alone the certificate discussion. There has to be something on the government side because the server hardening Guide\ excel spreadsheet doesn't cover current needs.

I  went to TLS 1.0 on my VCenter and all looked good except it immediately broke the connections with my SRM server.

The following command can be used to confirm connection status from the bin directory of your openssl install

openssl.exe s_client -connect [VMHostFQDn]:443 -ssl3

openssl.exe s_client -connect [VMHostFQDn]:443 -tls1

Now after 3 sessions  with support,  SRM is SSLv3 dependent  so looks like I'm getting a security exception

Regards, DGN

You will probably have to upgrade to SRM 6 and vCenter 6 if you want to use only TLS.

This is from the SRM 6 documentation:

"Previous versions of Site Recovery Manager supported both secure sockets layer (SSL) and TLS connections. This version of Site Recovery Manager only supports TLS, due to weaknesses identified in SSL 3.0."

Hi!! Have u found the way to disable the SSLV3 support and user of TLS on ESXi 5.5

I tried to mention the CipherList on ESXi and that making the VSphere client to fail to connect to the ESXi.

I googled a lot But not useful.

So,Please let me know if you know the steps to disable SSLv3 on ESXi Server and VSphere client.

Hi,

POODLE vulnerability (reported in CVE-2014-3566) was already addressed by patches below in vSphere 5.1/5.5 releases:

ESXi:

VMware KB: VMware ESXi 5.5, Patch ESXi550-201501101-SG: Updates esx-base

VMware KB: VMware ESXi 5.1, Patch ESXi510-201503101-SG: Updates esx-base

VMware KB: VMware ESXi 5.0, Patch ESXi500-201502101-SG: Updates esx-base

vCenter server:

vCenter Server 5.5 Update 2d Release Notes

Starting from vSphere 6.0 Update 1 SSLv3 is disabled by default

for more details see:

vCenter 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u1-release-notes.html

Important Note:
for vCenter SSO 6.0 this applies only to fresh install deployments if you have upraded to this release from older builds you must manually disable SSLv3 for SSO:

VMware KB: Disabling SSLv3 on vCenter Single Sign-On port 7444

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2131310&sliceId=1&docTypeID=DT_KB_1_1&dialogID=710756846&stateId=1%200%20710766174

ESXi 6.0U1
http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-esxi-60u1-release-notes.html

For those who encounter some issues after SSLv3 is disabled see:

Mware KB: vCenter Server fails to start after upgrading the F5 BIG-IP hardware load balancer to 11.5.0 when using H…

VMware KB: Linked Clone pool creation and recompositon fails with VMware Horizon View 6.1.x and older releases

VMware KB: Enabling support for SSLv3 in ESXi

Also beware that SRM 5.x releases relies on SSLv3:

VMware KB: VMware vCenter Site Recovery Manager Server service fails to start after changing security settings

For vSphere 5.x releases (ESXi and vCenter server) I would recommend to install existing security patches to cover POODLE vulnerability or to upgrade to vSphere 6.0U1 release instead of

manually hardening affected systems and its services separately as mentioned in these sources:

vCenter SSLv3 disabled kb 2093354

Security/POODLE - Tomcat Wiki

vCenter Server 5.5 Update 2d Release Notes

VMware KB: Enabling support for SSLv3 in ESXi