The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,312 other followers

ESXi: specifying the ciphers used to serve the vSphere Client

Posted by jpluimers on 2015/08/14

You can specify the ESXi ciphers used to serve the vSphere Client. You can do this both ways: either extend them (make it less secure, but more compatible, for instance to server vSphere Client on Windows Server 2003 / Windows XP), or restrict them to make it more secure.

VMware recommends the cipherList ALL to make it more compatible: VMware KB: vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure.

However, ALL  is far too wide to be secure. Since cipherList uses the standard cipher list format documented at ciphers – SSL cipher display and cipher list tool.

You can use the cipher lists from Strong SSL Security on nginx – Raymii.org:

  • Strong:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  • Compatible:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

When you run the vSphere Client on Windows Server 2003 / Windows XP, as of VMware ESXi 5.1 update 2 you will get this error message with the default cipher list:

An unknown connection error occurred. (The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.))

These are the steps to change the cipher list replacing *** with one of the cipher lists mentioned above:

  1. Connect to the host via SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
  2. Navigate to the directory:
    /etc/vmware/rhttpproxy/
  3. Backup the config.xml file. Do not skip this step.
  4. Open config.xml file using vi editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
  5. Add the <cipherList>***</cipherList> parameter between the <ssl>...</ssl> section of the configuration file. Use the model below as an example:
    <config>
    ...
    <vmacore>
    ...
    <ssl>
    <doVersionCheck> false </doVersionCheck>
    <useCompression>true</useCompression>
    <libraryPath>/lib/</libraryPath>
    <handshakeTimeoutMs>120000</handshakeTimeoutMs>
    <cipherList>***</cipherList>
    </ssl>
    ...
    </vmacore>
    ...
    </config>
  6. Save and close the config.xml file
  7. Reset the rhttpproxy service for the change to take effect by running the command:
    /etc/init.d/rhttpproxy restart

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: