OPERATIONAL DEFECT DATABASE
...
...
SSL vulnerability scan tools show SSL protocols that are not deemed safe by the operator on TCP port 5989 Operator finds their management software can not connect to sfcb. Errors from sfcbd in /var/log/syslog displays messages from the syslog identity "sfcb-CIMXML-Processor" such as: p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures; color: #bfbfbf; background-color: #0000b3} span.s3 {font-variant-ligatures: no-common-ligatures; color: #afad24} sfcb-CIMXML-Processor : Error accepting SSL connectionsfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version numbersfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
ESXi provides Web Based Management (WBEM) services. The process sfcbd provides DMTF standard management CIM-XML protocol API for 3rd party applications. sfcbd opens a configurable TCP port to the network, the default port number is 5989. This 5989 port uses Secure Sockets Layer (SSL) security. SSL contains a number of different protocols and ciphers to ensure secure/encrypted communication. The protocols SFCB in 6.0.x and 6.5.x supports are sslv3, tls1, tls1.1 and tls1.2. From time to time SSL protocols become weak and are judged to no longer provide acceptable secure communication. Alternately 3rd party applications which haven't been updated will fail to connect due to configured SSL protocols.
When two applications connect over SSL, they must negotiate which SSL protocol and ciphers they will use. SFCBD has a built in defaults. For 6.0 and 6.5 it support TLS1, TLS1.1 and TLS1.2. These protocols can be configured on/off and by doing so may limit which client applications can connect successfully if they do not support at least one of the protocols that SFCBD on ESXi offers.
Allowing SSL protocols considered insecure is not recommended by VMware. SSLv3 previously was disabled by default in 6.0.x release. Operators are encouraged to update their client applications to use the SSL protocols recommended by their IT/security.
The ESXi configuration file /etc/sfcb/sfcb.cfg can contain the following configuration tokens which the value can be set to true or false. If no entries are present these are the defaults built into 6.0U3 and 6.5.x.enableSSLv3: falseenableTLSv1: trueenableTLSv1_1: trueenableTLSv1_2: trueOnce these entries are inserted into /etc/sfcb/sfcb.cfg and wbem services are restarted, the new configuration will take effect. For more information, see How to disable the CIM agent on the ESX/ESXi host (1025757).Example configuration Small Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.0U3To configure TLS protocols: Log in to ESXi using with an SSH session and root credentials.Run this command to to stop the sfcbd service and edit the config file using the VI editor /etc/init.d/sfcbd-watchdog stop && vi /etc/sfcb/sfcb.cfg Change the values to enabled/disabled protocols by setting the protocols true or false: For example: enableTLSv1: true/false enableTLSv1_1: true/false enableTLSv1_2: true/false Save and exit file.Restart the SFCBD service for the configuration to take effect by running this command: /etc/init.d/sfcbd-watchdog start Example configuration oSmall Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.5To configure TLS protocols: Log in to ESXi using with an SSH session and root credentials.Run this command to edit the sfcb.cfg file: esxcli system wbem set --enable 0 && vi /etc/sfcb/sfcb.cfg Change the values to enabled/disabled protocols by setting the protocols true or false: For example: enableTLSv1: true/false enableTLSv1_1: true/false enableTLSv1_2: true/false Save and exit file.Restart the SFCBD service for the configuration to take effect by running this command: esxcli system wbem set --enable 1
The TLS Reconfiguration Utility does not manage SFCB settings in 6.0 or 6.5 release. [Internal] TLS protocol configuration options for vSphere 6.0 Managing TLS protocol configuration for vSphere 6.5Managing TLS protocol configuration for vSphere 6.0 Update 3vSphere Client fails to connect to the vCenter Server or ESXi with TLSv1.0 disabled
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
