Hello,
we received an inquiry from a customer of ours who also uses the KS Hostmonitor.
Here the request:
------------------------------------------------------------------------
We are in the process of migrating KS Hostmonitor from Server 1 to Server 2. We found that for ESX01 and ESX02 the tests 'VM host free datastore' and 'VM host status' do not work ('no answer') - screenshots attached.
Differences:
Server 1- Windows 2008 R2- Local VM - KS HostMonitor v. 9.90
Server 2 - Windows Server 2022 - Azure VM - KS HOstmonitor v. 13.46
The Windows Firewall is configured the same (off for domain) with app exception for HostMonitor
The ESXhosts are Proliant DL380 G7 with ESXi 5.5.0
We had an analysis carried out by a partner:
1. ESX hosts at SKP are version 5.5 (this is old but is the maximum version supported by the hosts)
2. HostMonitor tests for datastore and host status utilize ESX Managed Object Browser (MOB) which runs over HTTPS
3. KS HostMonitor on Server 1 uses TLSv1.0 for the connection, which is supported on the ESX hosts
4. KS HostMonitor on Server 2 uses TLSv1.2 for the connection - this is definitely not enabled on the ESX hosts and they reply with TCP RST on the TLS client hello message hence the test result is no answer.
We tried changing the TLS settings in the internet options. We also tried out the Windows Firewall. But it seems that ESXi 5.5 can't handle TLS 1.2. Is there an option in KS Hostmonitor 13.46 to use TLS 1.0? And is the TLS implementation OS based or one from KS-Soft itself?
------------------------------------------------------------------------
If I have any questions, I have to pass them on to the customer first.
Thanks in advance
VM Host Free Datastore 'No Answer' due TLS 1.2
HostMonitor v13 enables all supported SSL, TLS options (starting from SSL 3.0) for VMWare related tests
TLS 1.0 is disabled on Windows 2022 but its not totally removed.
On the other hand some week cipher suites removed in modern Windows.
I think Windows 2022 for TLS 1.0 supports the following ciphers:
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA
What cipher supported by VMWare ESXi 5.5?
AES128-SHA
DES-CBC3-SHA
cannot find more details..
VMWare ESX 6.0 is much better. The Suite B cipher suite includes: ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256
Could you enable TLS 1.0 using Windows Internet options?
Probably this will not help but its easy to try. Otherwise I think you will need one of the following options:
- older Windows
- newer VMWare
- or use RMA agent installed on old Windows to perform this test
Regards
Alex
TLS 1.0 is disabled on Windows 2022 but its not totally removed.
On the other hand some week cipher suites removed in modern Windows.
I think Windows 2022 for TLS 1.0 supports the following ciphers:
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA
What cipher supported by VMWare ESXi 5.5?
AES128-SHA
DES-CBC3-SHA
cannot find more details..
VMWare ESX 6.0 is much better. The Suite B cipher suite includes: ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256
Could you enable TLS 1.0 using Windows Internet options?
Probably this will not help but its easy to try. Otherwise I think you will need one of the following options:
- older Windows
- newer VMWare
- or use RMA agent installed on old Windows to perform this test
Regards
Alex
Oh, you already tried to enable TLS 1.0 manually and still TLS 1.2 is used?We tried changing the TLS settings in the internet options. We also tried out the Windows Firewall. But it seems that ESXi 5.5 can't handle TLS 1.2
So this option just does not work on Windows 2022 and HostMonitor cannot enable it for the test either
Then I would suggest to use RMA on old Windows system until you update VMWare someday..
Regards
Alex