ESXi 5.5U3b and SSLv3 – Always Upgrade vCenter First

vmware-vsphere

Recently VMware put out an update to ESXi (5.5U3b) which many people found to be a little disruptive. In keeping tight with their numbering convention, they have muddied the waters on what exactly is allowed in a “minor” update. Due to security vulnerabilities in the SSLv3 architecture, VMware made the call (correctly if you ask me) to disable this feature, however they did so in a minor revision not even a proper ‘Update’. Which has left a lot of people clamoring for what to do when they run security patches in VUM or directly on their ESXi servers only to have them not come back when rebooted!! If you were unfortunate enough to have this situation happen to you, then you were probably very confused and a bit upset. If you would like more information on this particular issue check out this VMware KB kb.vmware.com/kb/2140304.


Firstly let me state that it is VERY important to always update vCenter prior to updating ESXi hosts. VMware makes this fairly clear each KB it publishes regarding upgrade sequencing for each major release. Here is the link for the 5.5 software upgrade sequence: kb.vmware.com/kb/2057795. As you can see from this KB, no matter what the upgrade, VMware suggests upgrading vCenter as a step prior to ESXi.

If you find yourself in the above unfortunate situation don’t freak out! There are several easy ways around this issue without reverting your ESXi upgrades that will allow you to regain control of your hosts.

Upgrade vCenter to 5.5U3b
I know this sounds a little scary, but the easiest path forward is just to upgrade vCenter to match versions with your ESXi hosts, also disabling the need for SSLv3 and bypassing the issue. You may need to re-register your ESXi hosts as it may not do it automatically after the upgrade to vCenter.

Turn SSLv3 on for your ESXi hosts (per KB 2139396)
1) Open the vpxd.cfg file:

a) Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
b) vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg

2) Create a backup copy of the file.

3) Edit the file to add or remove “<ssloptions>16924672</ssloptions>” to enable or disable SSLv3 respectively:

<vmacore>
<cacheProperties>true</cacheProperties>
<ssl>
<useCompression>true</useCompression>
<sslOptions>16924672</sslOptions>
</ssl>
<threadPool>
<TaskMax>90</TaskMax>
<threadNamePrefix>vpxd</threadNamePrefix>
</threadPool>
</vmacore>

4) Save the file.

5) Restart the vpxd Service.

6) To disable SSLv3, make sure the “sslOptions” is not set in the vpxd.cfg file.

One of these options should get you up and running again without losing your mind.  And always remember that the KBs for upgrade sequence and the interoperability matrix are your friends!!

Facebooktwittergoogle_plusredditlinkedinmail