有人知道如何在 ESXi 6.5 上为 vmauthd 启用 SSLv3 吗?旧的“vmware-vdiskmanager”应用程序出于某种原因坚持使用它,而我无法使用 VDDK 6.5 中的应用程序,因为它需要 SSL 证书指纹,但没有提供任何从命令行指定它的选项
在 ESXi 6.0 上,它运行良好,但升级到 6.5 后,ESXi 拒绝连接(就在收到 SSL CLIENT HELLO 之后)。在日志中我可以看到只允许使用 tls1.2:
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T19:51:51Z vmauthd[68626]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
事实上,当 vdiskmanager 尝试建立 SSL 时,它无法识别该协议:
2017-02-27T20:02:37Z vmauthd[68831]: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: Could not expand environment variable HOME.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: OpenSSL using FIPS_drbg for RAND
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: protocol list tls1.2 (openssl flags 0x17000000)
2017-02-27T20:02:37Z vmauthd[68831]: lib/ssl: cipher list !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
2017-02-27T20:02:37Z vmauthd[68831]: Connect from remote socket (10.5.0.3:51395).
2017-02-27T20:02:37Z vmauthd[68831]: Connect from 10.5.0.3
2017-02-27T20:02:37Z vmauthd[68831]: SSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-02-27T20:02:37Z vmauthd[68831]: recv() FAIL: 1.
2017-02-27T20:02:37Z vmauthd[68831]: VMAuthdSocketRead: read failed. Closing socket for reading.
2017-02-27T20:02:37Z vmauthd[68831]: Read failed.
我尝试了几种方法来改变它,但都没有成功:
- 将“vmauthd.ssl.noSSLv3 = “false””添加到 /etc/vmware/config
- 将 /etc/vmware/rhttpproxy/config.xml 中的“vmacore/ssl”设置为“SSLv3,tls1.0,tls1.1,tls1.2”
- 从 /UserVars/ESXiVPsDisabledProtocols 中删除“sslv3”
我要疯了,还有其他办法吗?
谢谢
答案1
您是在谈论这个吗:
TLS 与 vSphere 5.5U3 的向后兼容性。如果 vSphere 6.5 客户将 TLS v1.2 身份验证设置为强制,则 ESXi 5.5U3 及更早版本主机上的备份将失败,并出现“SSL 异常”错误。修复方法是将这些 ESXi 主机升级到 5.5U3e 或更高版本。解决方法是修改 VDDK 代理上的两个配置文件之一。/etc/vmware/config 或 CommonAppDataFolder\config.ini 文件设置整个代理,而 $USER/.vmware/config 或 %USERNAME%\AppData\config.ini 仅设置一个用户。将以下行添加到相应的文件:tls.protocols=tls1.0,tls1.1,tls1.2