Product Announcements

SSLv3 Protocol Disabled by Default in vSphere 5.5 Update 3b

Background

Why has the SSLv3 protocol been disabled by default in vSphere 5.5 Update 3b?

Across the industry, enterprise software products and solutions are dropping use of and support for the SSLv3 protocol. The Internet Engineering Task Force (IETF) officially deprecated the SSLv3 protocol in RFC 7568 due to its obsolescence and inherent unfixability. Instead, IETF recommends the latest version of TLS.

VMware is therefore dropping support for SSLv3 on both the server side and the client side in vSphere. The release of vSphere 5.5 Update 3b from VMware disables SSLv3 by default to meet current standards and compliance.

Disabling SSLv3 by default also brings some restrictions with respect to installation, upgrading, and compatibility. This blog summarizes these limitations which are also documented in detail in the respective release notes and KB articles.

Below are some of the key aspects that you should be aware of when you upgrade to vSphere 5.5 Update 3b.

  1. Upgrade sequence: As recommended in KB#2057795 you must upgrade vCenter Server to 5.5 Update 3b first and then update the hosts to ESXi 5.5 Update 3b.

Earlier releases of vCenter Server won’t be able to manage ESXi 5.5 Update 3b. As a workaround, you can re-enable SSLv3 protocol on ESXi by following the configuration described in KB#2139396. However, VMware strongly recommends against re-enabling the SSLv3 protocol.

  1. Upgrade both vCenter Server and ESXi to 5.5 Update 3b: In order to disable SSLv3 completely in your vSphere environment, we recommend that you update both vCenter Server and ESXi to vSphere 5.5 Update 3b.
  2. View Composer earlier than version 6.2 will have connection failures with ESXi 5.5 Update 3b. Refer to KB#2121021
  3. SSLv3 can be re-enabled by the configuration described in KB#2139396. Re-enablement of SSLv3 protocol has to be consistent across all ESXi and vCenter Server services and require mandatory service restart. However, VMware strongly recommends against re- enabling the SSLv3 protocol.

Note:  Hostprofile will be able to capture SSLv3 protocol enablement configuration changes for all the services except Hostd service in ESXi