Search the VMware Knowledge Base (KB)
View by Article ID

Managing the List of SSL Protocols Allowed by vCloud Director (2112282)

  • 2 Ratings

Symptoms

The SSL V3 protocol has serious vulnerability, described in CVE-2014-3566. As of vCloud Director 5.5.3, cells no longer enable SSL V3 by default for internal and external HTTPS connections. The vCloud Director cell management tool has been updated with a new subcommand that enables the system administrator to configure the set of SSL protocols that the cell offers to use during the SSL handshake process. This new subcommand has been made available in vCloud Director 5.5.3

Resolution

This is a known issue affecting VMware vCloud Director 5.5.x.

Currently, there is no resolution.

To work around this issue, use the ssl-protocols command of the cell management tool to configure the set of SSL protocols that the cell offers to use during the SSL handshake process. When a client makes an SSL connection to a vCloud Director cell, the cell offers to use only those protocols that are configured on its list of allowed SSL protocols. As of vCloud Director 5.5.3, several protocols, including SSLv3 and SSLv2Hello, are not on the default list because they are known to have serious security vulnerabilities. To manage the list of allowed SSL protocols, use a command line with this form: cell-management-tool ssl-protocols options
 
Cell Management Tool Options and Arguments, ssl-protocols Subcommand
 

>Option

>Argument

>Description

--help (-h) None Provides a summary of available commands in this category.
--all-allowed (-a) None List all SSL protocols that vCloud Director is able to support.
--disallow (-d) Comma-separated list of SSL protocol names. Reconfigure the list of disallowed SSL protocols to the ones specified in the list.
--list (-l) None List the set of allowed SSL protocols that vCloud Director is currently configured to support.
--reset (-r) None Reset the list of configured SSL protocols to the factory default

 


Important You must re-start the cell after running ssl-protocols --disallow or ssl-protocols --reset

 

Example: List Allowed and Configured SSL Protocols Use the --all-allowed ( -a ) option to list all the SSL protocols that the cell can be allowed to offer during an SSL handshake. [root@cell1 /opt/vmware/vcloud-director/bin]#./cell-management-tool ssl-protocols -a Product default SSL protocols: TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2Hello This list is typically a superset of the SSL protocols that the cell is configured to support. To list those SSL protocols, use the --list (-l ) option. [root@cell1 /opt/vmware/vcloud-director/bin]#./cell-management-tool ssl-protocols -l Allowed SSL protocols: TLSv1.2 TLSv1.1 TLSv1

Example: Reconfigure the List of Disallowed SSL Protocols Use the --disallow (-d ) option to reconfigure the list of disallowed SSL protocols. This option requires a comma-separated list of the subset of allowed protocols produced by ssl-protocols –a . This example removes the TLSv1 SSL protocol from the list of allowed SSL protocols. [root@cell1 /opt/vmware/vcloud-director/bin]#./cell-management-tool ssl-protocols –d TLSv1,SSLv3,SSLv2Hello You must re-start the cell after running this command

 

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: