Killing SSLv3 Tip

This week brought another unusual problem. We have a multi-domain environment that includes 2 different active directory forests with a trust. Like most of the world we have disabled SSLv3 on desktops as well as servers to prevent SSLv3 connections but this was only done completely in our main active directory domain. Everything has been working fine until this week.   Over the weekend a new change was introduced to the environment in the form of a new sha2 certificate for domain controllers in the other active directory domain. Once this change was implemented user accounts from the other domain would no longer authenticate for our Horizon View vCenter.

Settings were checked and the LDAPs identity source was identical on both our vCenters in our main domain but one did not work. Certificate stores were checked and they both had the relevant certificates.  After digging further there was one difference between the 2 vcenter servers concerning SSL.

Look under vCenter Server Settings.

SSLv3-SS1

There is a setting located under Advanced Settings called SSL.Version.

SSLv3-SS2

Choose TLSv1 to completely stop vCenter from trying to communicate over SSLv3.

SSLv3-SS3