KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

VM Host Free Datastore 'No Answer' due TLS 1.2

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting
View previous topic :: View next topic  
Author Message
itelio



Joined: 06 Nov 2014
Posts: 120

PostPosted: Thu Mar 23, 2023 2:52 am    Post subject: VM Host Free Datastore 'No Answer' due TLS 1.2 Reply with quote

Hello,

we received an inquiry from a customer of ours who also uses the KS Hostmonitor.
Here the request:

------------------------------------------------------------------------

We are in the process of migrating KS Hostmonitor from Server 1 to Server 2. We found that for ESX01 and ESX02 the tests 'VM host free datastore' and 'VM host status' do not work ('no answer') - screenshots attached.

Differences:

Server 1- Windows 2008 R2- Local VM - KS HostMonitor v. 9.90
Server 2 - Windows Server 2022 - Azure VM - KS HOstmonitor v. 13.46

The Windows Firewall is configured the same (off for domain) with app exception for HostMonitor

The ESXhosts are Proliant DL380 G7 with ESXi 5.5.0

We had an analysis carried out by a partner:

1. ESX hosts at SKP are version 5.5 (this is old but is the maximum version supported by the hosts)
2. HostMonitor tests for datastore and host status utilize ESX Managed Object Browser (MOB) which runs over HTTPS
3. KS HostMonitor on Server 1 uses TLSv1.0 for the connection, which is supported on the ESX hosts
4. KS HostMonitor on Server 2 uses TLSv1.2 for the connection - this is definitely not enabled on the ESX hosts and they reply with TCP RST on the TLS client hello message hence the test result is no answer.

We tried changing the TLS settings in the internet options. We also tried out the Windows Firewall. But it seems that ESXi 5.5 can't handle TLS 1.2. Is there an option in KS Hostmonitor 13.46 to use TLS 1.0? And is the TLS implementation OS based or one from KS-Soft itself?

------------------------------------------------------------------------

If I have any questions, I have to pass them on to the customer first.

Thanks in advance
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Thu Mar 23, 2023 7:40 am    Post subject: Reply with quote

HostMonitor v13 enables all supported SSL, TLS options (starting from SSL 3.0) for VMWare related tests
TLS 1.0 is disabled on Windows 2022 but its not totally removed.

On the other hand some week cipher suites removed in modern Windows.
I think Windows 2022 for TLS 1.0 supports the following ciphers:
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA

What cipher supported by VMWare ESXi 5.5?
AES128-SHA
DES-CBC3-SHA
cannot find more details..

VMWare ESX 6.0 is much better. The Suite B cipher suite includes: ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256

Could you enable TLS 1.0 using Windows Internet options?
Probably this will not help but its easy to try. Otherwise I think you will need one of the following options:
- older Windows
- newer VMWare
- or use RMA agent installed on old Windows to perform this test

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Thu Mar 23, 2023 7:45 am    Post subject: Reply with quote

Quote:
We tried changing the TLS settings in the internet options. We also tried out the Windows Firewall. But it seems that ESXi 5.5 can't handle TLS 1.2

Oh, you already tried to enable TLS 1.0 manually and still TLS 1.2 is used?
So this option just does not work on Windows 2022 and HostMonitor cannot enable it for the test either
Then I would suggest to use RMA on old Windows system until you update VMWare someday..

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Thu Mar 23, 2023 10:58 am    Post subject: Reply with quote

PS
We tested HostMonitor + Windows Server 2022 + TLS 1.0 - it works.
So, its probably ciphers related problem and you have 3 options described above
Back to top
View user's profile Send private message Visit poster's website
itelio



Joined: 06 Nov 2014
Posts: 120

PostPosted: Fri Mar 24, 2023 6:12 am    Post subject: re Reply with quote

Hi Alex,

thank you for the detailed answer.
I see it that way that we have these 3 options.
I'll discuss that and get back to you.

Thank you and have a nice day!
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Fri Mar 24, 2023 7:35 am    Post subject: Reply with quote

You are welcome
Have a nice weekend

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index