Use the ssl-protocols command of the cell management tool to configure the set of SSL protocols that the cell offers to use during the SSL handshake process.

When a client makes an SSL connection to a vCloud Director cell, the cell offers to use only those protocols that are configured on its list of allowed SSL protocols. Several protocols, including TLSv1, SSLv3 and SSLv2Hello, are not on the default list because they are known to have serious security vulnerabilities.

To manage the list of allowed SSL protocols, use a command line with the following form:

cell-management-tool ssl-protocols options

Cell Management Tool Options and Arguments, ssl-protocols Subcommand

Option

Argument

Description

--help (-h)

None

Provides a summary of available commands in this category.

--all-allowed (-a)

None

List all SSL protocols that vCloud Director is able to support.

--disallow (-d)

Comma-separated list of SSL protocol names.

Reconfigure the list of disallowed SSL protocols to the ones specified in the list.

--list (-l)

None

List the set of allowed SSL protocols that vCloud Director is currently configured to support.

--reset (-r)

None

Reset the list of configured SSL protocols to the factory default

Important

You must re-start the cell after running ssl-protocols --disallow or ssl-protocols reset

Use the --all-allowed (-a) option to list all the SSL protocols that the cell can be allowed to offer during an SSL handshake.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -a
Product default SSL protocols:

    * TLSv1.2
    * TLSv1.1
    * TLSv1
    * SSLv3
    * SSLv2Hello

This list is typically a superset of the SSL protocols that the cell is configured to support. To list those SSL protocols, use the --list (-l) option.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -l
Allowed SSL protocols:

    * TLSv1.2
    * TLSv1.1

Use the --disallow (-d) option to reconfigure the list of disallowed SSL protocols. This option requires a comma-separated list of the subset of allowed protocols produced by ssl-protocols –a.

This example updates the list of allowed SSL protocols to include TLSv1. VMware® vCenter™ releases earlier than 5.5 Update 3e require TLSv1.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ssl-protocols -d SSLv3,SSLv2Hello

You must re-start the cell after running this command.