The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,226 other subscribers
«
»

ESXi: specifying the ciphers used to serve the vSphere Client

Posted by jpluimers on 2015/08/14

You can specify the ESXi ciphers used to serve the vSphere Client. You can do this both ways: either extend them (make it less secure, but more compatible, for instance to server vSphere Client on Windows Server 2003 / Windows XP), or restrict them to make it more secure.

VMware recommends the cipherList ALL to make it more compatible: VMware KB: vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure.

However, ALL  is far too wide to be secure. Since cipherList uses the standard cipher list format documented at ciphers – SSL cipher display and cipher list tool.

You can use the cipher lists from Strong SSL Security on nginx – Raymii.org:

  • Strong:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  • Compatible:
    • EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

When you run the vSphere Client on Windows Server 2003 / Windows XP, as of VMware ESXi 5.1 update 2 you will get this error message with the default cipher list:

An unknown connection error occurred. (The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.))

These are the steps to change the cipher list replacing *** with one of the cipher lists mentioned above:

  1. Connect to the host via SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
  2. Navigate to the directory:
    /etc/vmware/rhttpproxy/
  3. Backup the config.xml file. Do not skip this step.
  4. Open config.xml file using vi editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
  5. Add the <cipherList>***</cipherList> parameter between the <ssl>...</ssl> section of the configuration file. Use the model below as an example: 
    <config>
...
<vmacore>
...
<ssl>
<doVersionCheck> false </doVersionCheck>
<useCompression>true</useCompression>
<libraryPath>/lib/</libraryPath>
<handshakeTimeoutMs>120000</handshakeTimeoutMs>
<cipherList>***</cipherList>
</ssl>
...
</vmacore>
...
</config>
  6. Save and close the config.xml file
  7. Reset the rhttpproxy service for the change to take effect by running the command:
    /etc/init.d/rhttpproxy restart

–jeroen

This entry was posted on 2015/08/14 at 12:00 and is filed under ESXi5, ESXi5.1, ESXi5.5, ESXi6, Power User, PowerCLI, Virtualization, VMware, VMware ESXi. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: