To configure the set of SSL protocols that the cell offers to use during the SSL handshake process, use the ssl-protocols command of the cell management tool.

When a client makes an SSL connection to a VMware Cloud Director cell, the cell offers to use only those protocols that are configured on its list of allowed SSL protocols. TLSv1 is not on the default list because it is known to have serious security vulnerabilities. For more information on enabling TLS 1.0 or TLS 1.1 for VMware Cloud Director 10.4 or later, see KB 88929.

Procedure

  1. Log in directly or by using an SSH client to the OS of the VMware Cloud Director cell as root.
  2. Run the command to manage the list of allowed SSL protocols.
    cell-management-tool ssl-protocols options
    Table 1. Cell Management Tool Options and Arguments, ssl-protocols Subcommand
    Option Argument Description
    --help (-h) None Provides a summary of available commands in this category.
    --all-allowed (-a) None List all SSL protocols that VMware Cloud Director supports.
    --disallow (-d) Comma-separated list of SSL protocol names. Reconfigure the list of disallowed SSL protocols to the ones specified in the list. Every time you run this option, you must include the full list of SSL protocols you want to deactivate because running the option overwrites the previous setting.
    Important: Running the option without any values activates all SSL protocols.
    To view all possible SSL protocols, run the -a option.
    Important: You must restart the cell after running ssl-protocols --disallow.
    --list (-l) None List the set of allowed SSL protocols that are currently in use.
    --reset (-r) None Reset the list of configured SSL protocols to the factory default.
    Important: You must restart the cell after running ssl-protocols --reset.

Example: List Allowed and Configured SSL Protocols and Reconfigure the List of Disallowed SSL Protocols

Use the --all-allowed (-a) option to list all the SSL protocols that the cell can be allowed to offer during an SSL handshake.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -a
Product default SSL protocols:

    * TLSv1.2
    * TLSv1.1
    * TLSv1

This list is typically a superset of the SSL protocols that the cell is configured to support. To list those SSL protocols, use the --list (-l) option.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -l
Allowed SSL protocols:

    * TLSv1.2
    * TLSv1.1

To reconfigure the list of disallowed SSL protocols, use the --disallow (-d) option. This option requires a comma-separated list of the subset of allowed protocols produced by ssl-protocols –a.

This example updates the list of disallowed SSL protocols to include TLSv1. vCenter Server releases earlier than 5.5 Update 3e require TLSv1.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -d TLSv1
You must restart the cell after running this command.