The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,311 other followers

Archive for August 14th, 2015

ESXi: specifying the ciphers used to serve the vSphere Client

Posted by jpluimers on 2015/08/14

You can specify the ESXi ciphers used to serve the vSphere Client. You can do this both ways: either extend them (make it less secure, but more compatible, for instance to server vSphere Client on Windows Server 2003 / Windows XP), or restrict them to make it more secure.

VMware recommends the cipherList ALL to make it more compatible: VMware KB: vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure.

However, ALL  is far too wide to be secure. Since cipherList uses the standard cipher list format documented at ciphers – SSL cipher display and cipher list tool.

You can use the cipher lists from Strong SSL Security on nginx – Raymii.org:

  • Strong:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  • Compatible:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

When you run the vSphere Client on Windows Server 2003 / Windows XP, as of VMware ESXi 5.1 update 2 you will get this error message with the default cipher list:

An unknown connection error occurred. (The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.))

These are the steps to change the cipher list replacing *** with one of the cipher lists mentioned above:

  1. Connect to the host via SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
  2. Navigate to the directory:
    /etc/vmware/rhttpproxy/
  3. Backup the config.xml file. Do not skip this step.
  4. Open config.xml file using vi editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
  5. Add the <cipherList>***</cipherList> parameter between the <ssl>...</ssl> section of the configuration file. Use the model below as an example:
    <config>
    ...
    <vmacore>
    ...
    <ssl>
    <doVersionCheck> false </doVersionCheck>
    <useCompression>true</useCompression>
    <libraryPath>/lib/</libraryPath>
    <handshakeTimeoutMs>120000</handshakeTimeoutMs>
    <cipherList>***</cipherList>
    </ssl>
    ...
    </vmacore>
    ...
    </config>
  6. Save and close the config.xml file
  7. Reset the rhttpproxy service for the change to take effect by running the command:
    /etc/init.d/rhttpproxy restart

–jeroen

Posted in ESXi5, ESXi5.1, ESXi5.5, ESXi6, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

ESXi Embedded Host Client – VMware Labs

Posted by jpluimers on 2015/08/14

Interesting: ESXi Embedded Host Client – VMware Labs.

Posted in ESXi5, ESXi5.1, ESXi5.5, ESXi6, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

Start URL for searching my own posts and comments – via: Ronnie Bincer.

Posted by jpluimers on 2015/08/14

Thanks to Ronnie Bincer, here is my start URL to find back posts and comments I made:

Note that

  • since my account is named and does not have an ID any more, I had to twiddle that URL a bit
  • https://plus.google.com/100853746448364695376 is a throw away account for a place that plays HTTPS man-in-the-middle on everyone using their network.

–jeroen

via: How to Easily Find Your Google+ Comments….

Posted in G+: GooglePlus, Google, Power User, SocialMedia | Leave a Comment »

 
%d bloggers like this: