题 在ESXi 6.5上启用SSLv3


有人知道如何在ESXi 6.5上为vmauthd启用SSLv3吗?旧的“vmware-vdiskmanager”应用程序由于某种原因坚持使用它,我不能使用VDDK 6.5中的那个,因为它需要SSL证书指纹但不提供任何选项来从命令行指定它

在ESXi 6.0上它运行正常,但在升级到6.5后,ESXi拒绝连接(就在它接收到SSL CLIENT HELLO之后)。在日志中我可以看到只允许tls1.2:

2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

事实上,当vdiskmanager是tryint建立SSL时,它无法识别协议:

2017-02-27T20:02:37Z vmauthd[68831]: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: OpenSSL using FIPS_drbg for RAND
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
2017-02-27T20:02:37Z vmauthd[68831]: Connect from remote socket (10.5.0.3:51395).
2017-02-27T20:02:37Z vmauthd[68831]: Connect from 10.5.0.3
2017-02-27T20:02:37Z vmauthd[68831]: SSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-02-27T20:02:37Z vmauthd[68831]: recv() FAIL: 1.
2017-02-27T20:02:37Z vmauthd[68831]: VMAuthdSocketRead: read failed.  Closing socket for reading.
2017-02-27T20:02:37Z vmauthd[68831]: Read failed.

我尝试了几种方法来改变它,但没有任何成功:

  • 将“vmauthd.ssl.noSSLv3 =”false“”添加到/ etc / vmware / config
  • 将/etc/vmware/rhttpproxy/config.xml中的“vmacore / ssl”设置为“SSLv3,tls1.0,tls1.1,tls1.2”
  • 从/ UserVars / ESXiVPsDisabledProtocols中删除“sslv3”

我疯了,还有其他方法吗?

谢谢


5
2018-02-27 20:12






答案: