You can specify the ESXi ciphers used to serve the vSphere Client. You can do this both ways: either extend them (make it less secure, but more compatible, for instance to server vSphere Client on Windows Server 2003 / Windows XP), or restrict them to make it more secure.
VMware recommends the cipherList ALL to make it more compatible: VMware KB: vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure.
However, ALL is far too wide to be secure. Since cipherList uses the standard cipher list format documented at ciphers – SSL cipher display and cipher list tool.
You can use the cipher lists from Strong SSL Security on nginx – Raymii.org:
- Strong:
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- Compatible:
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
When you run the vSphere Client on Windows Server 2003 / Windows XP, as of VMware ESXi 5.1 update 2 you will get this error message with the default cipher list:
An unknown connection error occurred. (The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.))
These are the steps to change the cipher list replacing *** with one of the cipher lists mentioned above:
- Connect to the host via
SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).- Navigate to the directory:
/etc/vmware/rhttpproxy/- Backup the
config.xmlfile. Do not skip this step.- Open
config.xmlfile usingvieditor. For more information, see Editing files on an ESX host using vi or nano (1020302).- Add the
<cipherList>***</cipherList>parameter between the<ssl>...</ssl>section of the configuration file. Use the model below as an example:<config> ... <vmacore> ... <ssl> <doVersionCheck> false </doVersionCheck> <useCompression>true</useCompression> <libraryPath>/lib/</libraryPath> <handshakeTimeoutMs>120000</handshakeTimeoutMs> <cipherList>***</cipherList> </ssl> ... </vmacore> ... </config>- Save and close the
config.xmlfile- Reset the
rhttpproxyservice for the change to take effect by running the command:
/etc/init.d/rhttpproxy restart
–jeroen
