Search the VMware Knowledge Base (KB)
View by Article ID

How to manage SSL and TLS Protocols for ESXi SFCB Daemon (2151279)

  • 0 Ratings

Symptoms

SSL vulnerability scan tools show SSL protocols that are not deemed safe by the operator on TCP port 5989 Operator finds their management software can not connect to sfcb. Errors from sfcbd in /var/log/syslog displays messages from the syslog identity "sfcb-CIMXML-Processor" such as:


sfcb-CIMXML-Processor : Error accepting SSL connection
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Purpose

ESXi provides Web Based Management (WBEM) services. The process sfcbd provides DMTF standard management CIM-XML protocol API for 3rd party applications. sfcbd opens a configurable TCP port to the network, the default port number is 5989.

This 5989 port uses Secure Sockets Layer (SSL) security. SSL contains a number of  different protocols and ciphers to ensure secure/encrypted communication. The protocols SFCB in 6.0.x and 6.5.x supports are sslv3, tls1, tls1.1 and tls1.2. From time to time SSL protocols become weak and are judged to no longer provide acceptable secure  communication.
Alternately 3rd party applications which haven't been updated will fail to connect due to configured SSL protocols.


Cause

When two applications connect over SSL, they must negotiate which SSL protocol and ciphers they will use.

SFCBD has a built in defaults. For 6.0 and 6.5 it support TLS1, TLS1.1 and TLS1.2. These protocols can be configured on/off and by doing so may limit which client applications can connect successfully if they do not support at least one of the protocols that SFCBD on ESXi offers.

Resolution

The ESXi configuration file /etc/sfcb/sfcb.cfg can contain the following configuration tokens which the value can be set to true or false. If no entries are present these are the defaults built into 6.0U3 and 6.5.x.

enableSSLv3: false
enableTLSv1: true
enableTLSv1_1: true
enableTLSv1_2: true


Once these entries are inserted into /etc/sfcb/sfcb.cfg and wbem services are restarted, the new configuration will take effect. For more information, see How to disable the CIM agent on the ESX/ESXi host (1025757).

Example configuration Small Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.0U3

To configure TLS protocols:
  1. Log in to ESXi using with an SSH session and root credentials.
  2. Run this command to to stop the sfcbd service and edit the config file using the VI editor

    /etc/init.d/sfcbd-watchdog stop && vi /etc/sfcb/sfcb.cfg
       
  3. Change the values to enabled/disabled protocols by setting the protocols true or false:

    For example:

    enableTLSv1: true/false
    enableTLSv1_1: true/false
    enableTLSv1_2: true/false


  4. Save and exit file.
  5. Restart the SFCBD service for the configuration to take effect by running this command:

    /etc/init.d/sfcbd-watchdog start

Example configuration oSmall Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.5

To configure TLS protocols:

  1. Log in to ESXi using with an SSH session and root credentials.
  2. Run this command to edit the sfcb.cfg file:

    esxcli system wbem set --enabled 0 && vi /etc/sfcb/sfcb.cfg

  3. Change the values to enabled/disabled protocols by setting the protocols true or false:
          
    For example:

    enableTLSv1: true/false
    enableTLSv1_1: true/false
    enableTLSv1_2: true/false


  4. Save and exit file.
  5. Restart the SFCBD service for the configuration to take effect by running this command:

    esxcli system wbem set --enabled 1

Impact/Risks

Allowing SSL protocols considered insecure is not recommended by VMware. SSLv3 previously was disabled by default in 6.0.x release. 

Operators are encouraged to update their client applications to use the SSL protocols recommended by their IT/security.

Additional Information

The TLS Reconfiguration Utility does not manage SFCB settings in 6.0 or 6.5 release.

Tags

security tls  wbem ssl esxi management

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: