Search the VMware Knowledge Base (KB)
View by Article ID

TLS Configuration Options For Site Recovery Manager 6.1.1 and later (2145910)

  • 1 Ratings

Details

TLS1.0, 1.1, and 1.2 protocols are enabled by default in Site Recovery Manager 6.1.1 and later. These protocols can be disabled  in Site Recovery Manager and vCenter Server manually.

Note: vCenter Server and Site Recovery Manager must support the same versions to prevent connectivity issues.

Solution

To disable a TLS protocol in Site Recovery Manager:
  1. On the Site Recovery Manager server navigate to C:\Program Files\VMware\VMware vCenter Site Recovery Manager\config.
  2. Create a backup of the vmware-dr.xml file.
  3. Open the vmware-dr.xml file in a plain text editor.
  4. In the <vmacore> section under <ssl> add the option <sslOptions>decimal value of the SSL/TLS protocol configuration</sslOptions>.

    To determine the decimal value of the SSL/TLS configuration.
    1. A logical disjunction must be applied to the hexadecimal values of  the SSL/TLS options and all protocols to disable.
    2. Convert the hexadecimal to decimal value. To get the values of protocol versions and SSL/TLS configuration options, see the table below.

      For example, to disable TLSv1.0, SSLv3, SSLv2, SSL/TLS compression, and SSL/TLS session ticket, you can use the following XML code block.

      <vmacore>
      ...
          <ssl>
        <sslOptions>117587968</sslOptions>
             </ssl>
      </vmacore>


  5.  Restart the Site Recovery Manager service.
  6. Repeat steps 1, 2, 3, and 4 on the paired Site Recovery Manager site.

Protocol
Hexadecimal Value
Decimal Value
SSL_OP_NO_SSLv2 0x01000000
16777216
SSL_OP_NO_SSLv3 0x02000000
33554432
SSL_OP_NO_TLSv1 0x04000000
67108864
SSL_OP_NO_TLSv1_1 0x10000000 268435456
SSL_OP_NO_TLSv1_2 0x08000000 134217728
SSL_OP_NO_COMPRESSION 0x00020000 131072
SSL_OP_NO_TICKET 0x00004000 16384


Note: Always include the values of SSL_OP_NO_COMPRESSION and SSL_OP_NO_TICKET when calculating the value of the SSL/TLS configuration to prevent the SSL/TLS compression and SSL/TLS session tickets from being enabled. Site Recovery Manager does not support the SSL/TLS compression and SSL/TLS session tickets.

For example, to disable SSLv2, SSLv3, and TLSv1.0, you can use:
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TICKET = 0x01000000L | 0x02000000L | 0x04000000L | 0x00020000L | 0x00004000L = 0x7024000L 

Convert the 0x7024000L to decimal value (17587968).

To re-enable a protocol, calculate the SSL/TLS configuration by including the SSL_OP_NO_COMPRESSION, SSL_OP_NO_TICKET, and only the protocols that must be disabled. For example, to re-enable TLSv1.0:

SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TICKET.


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: