vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure
search cancel

vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure

book

Article ID: 344740

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

When installed on a Windows XP or Windows Server 2003 host machine, the vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.0, 5.1 and 5.5 due to a Handshake failure. vSphere 5.0, 5.1 and 5.5 uses the Open SSL library, which, for security, is configured by default to accept only connections that use strong cipher suites. On Windows XP or Windows Server 2003, the vSphere Client and vSphere PowerCLI do not use strong cipher suites to connect with vCenter Server. This results in the error No matching cipher suite on the server side, and a Handshake failure on the vSphere Client or vSphere PowerCLI side.

Environment

VMware vSphere ESXi 5.0
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5
VMware vCenter Server 5.0.x
VMware vCenter Server Appliance 5.1.x

Resolution

To work around this issue:

Note: Windows XP and Server 2003 has reached end of support and new hotfixes will not be available. For more information, see Windows Support Has Ended.

For Windows Server 2003, 64-bit Windows XP, or 32-bit Windows XP, perform one of these options:
  • Before installing the vSphere Client or vSphere PowerCLI, upgrade the Windows operating system on the host machine to Windows Vista or later.
  • On the vCenter Server 5.1 and 5.5 host machine, modify the vpxd.cfg to reduce the implied security by allowing the server to communicate using weak cipher suites:
For Windows-based vCenter Server
  1. Connect to the vCenter Server using RDP.
  2. Navigate to the directory:

    C:\ProgramData\VMware\VMware VirtualCenter\
     
  3. Backup the vpxd.cfg file. Do not skip this step.
  4. Open the vpxd.cfg file in a text editor
  5. Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file, for example:

    <config>
    ...
    <vmacore>
    ...
    <ssl>
    ...
    <cipherList>ALL</cipherList>
    ...
    </ssl>
    ...
    </vmacore>
    ...
    </config>
     
  6. Save and close the vpxd.cfg file.
  7. Restart the vCenter Server service for the setting to take affect. For more information, see Stopping, starting, or restarting vCenter services (1003895).
For the vCenter Server Appliance
  1. Connect to the vCenter Server Appliance via SSH. For more information, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance in the vCenter Server and Host Management Guide.
  2. Navigate to the directory:

    /etc/vmware-vpx/
     
  3. Backup the vpxd.cfg file. Do not skip this step.
  4. Open vpxd.cfg file in a plan text editor
  5. Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file, For example:

    <config>
    ...
    <vmacore>
    ...
    <ssl>
    ...
    <cipherList>ALL</cipherList>
    ...
    </ssl>
    ...
    </vmacore>
    ...
    </config>
     
  6. Save and close the vpxd.cfg file.
  7. Restart the vCenter Server service for the change to take effect. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).
     
On the ESXi 5.1 and 5.5 host, modify the rhttpproxy service to reduce the implied security by allowing the host to communicate using weak cipher suites:

For ESXi 5.1 and 5.5
  1. Connect to the host via SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
  2. Navigate to the directory:

    /etc/vmware/rhttpproxy/
     
  3. Backup the config.xml file. Do not skip this step.
  4. Open config.xml file using vi editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
  5. Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file. Use the model below as an example:

    <config>
    ...
    <vmacore>
    ...
    <ssl>
    <doVersionCheck> false </doVersionCheck>
    <useCompression>true</useCompression>
    <libraryPath>/lib/</libraryPath>
    <handshakeTimeoutMs>120000</handshakeTimeoutMs>
    <cipherList>ALL</cipherList>
    </ssl>
    ...
    </vmacore>
    ...
    </config>
     
  6. Save and close the config.xml file
  7. Reset the rhttpproxy service for the change to take effect by running the command:

    /etc/init.d/rhttpproxy restart

Additional Information

For translated versions of this article, see:
Powered by Wolken Software