ESXi login (ssl issue)

[Psittac]

I booted up my R510 and can't log in to esxi, I get the notification that the connection is insecure and I'm pretty sure it's due to SSL.  It has always been an insecure connection but I always had the option to go to the page anyways.  Now I can't.  Any ideas of how I can log in without going through the certification process?

[NelizMastr]

Try a different browser?

[Psittac]

2 minutes ago, NelizMastr said:

Try a different browser?

did edge chrome and firefox

[NelizMastr]

Just now, Psittac said:

did edge chrome and firefox

And you can't skip/add exception on any of them?

 

Is the time and date the same on the host and your PC?

[PrinceAndy63]

Its possible your AV is preventing the page from loading. It's happened to me using bitdefender. 

[beersykins]

Did you enable hsts or something?

 

It will always show insecure with a self signed certificate, although things like hsts prevent you from ignoring that.  The error should include more information.

[Psittac]

This site can’t provide a secure connection

xxx.xxx.xxx.xxx uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

HIDE DETAILS

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

[Psittac]

it does this on my desktop and my laptop.  I have the ip white listed in mbam but also have bitdefender which I can't figure out a whitelist on.  But in the notifications I'm not getting any warning or notice about something being blocked.  I just spent an hour trying to research this and it's way above my pay grade.  I got into the certificates but don't know what I'm doing so I left that alone.

 

edit: normally I would log into the server locally but I no longer have a vga/dsub monitor to do so.  I guess I can come up with one if I need to.  maybe the server time and date is wrong?

[Mycobacterium]

Kaspersky block my connection, I need to add an exception, then once again refresh login page.

Go there chrome://flags/#ssl-version-min

Setup SSLv3 than restart your browser.

[Psittac]

it was bit defender, I did everything I could to add exclusions or white list but it didn't work.  Had to uninstall it then it worked.  They must have made some update to bitdefender recently.

 

Also I saw that Avast anti-virus was on my system and I know I didn't put it there since I've been using bit defender since before I did a fresh install, there would have been no reason to install it.

[Blake]

9 hours ago, Psittac said:

This site can’t provide a secure connection

xxx.xxx.xxx.xxx uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

HIDE DETAILS

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

The web server has the 0 matching SSL settings or 0 matching ciphers to your local system.

 

Not sure about what web server ESXi uses, but i'd assume you can change that via the CLI on the system locally (or via SSH).

Otherwise change your local security ciphers / SSL settings.

 

It'd recommend reading: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

the disabling SSL (all versions) and TLSv1.0 and change the ciphers used. Not that windows and linux (i.e. apache, etc) will often call the same cipher something different, even though they are the same.

[Mikensan]

What version of ESXi are you running? Beyond the hostname not matching the SNI the crypto used should be acceptable to almost everything.

[Psittac]

On 11/26/2018 at 7:50 AM, Mikensan said:

What version of ESXi are you running? Beyond the hostname not matching the SNI the crypto used should be acceptable to almost everything.

I just use a local IP address.  I'm not into the world of networking, I have some of the equipment but haven't done anything related to it.

[Mikensan]

On 11/28/2018 at 12:21 AM, Psittac said:

I just use a local IP address.  I'm not into the world of networking, I have some of the equipment but haven't done anything related to it.

What version of ESXi are you running? Might be as simple as an update.

[Jarsky]

https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.security.doc/GUID-EA0587C7-5151-40B4-88F0-C341E6B1F8D0.html

[zassou]

adjust the clock on computers maybe?

[DogKnight]

There is a large range of different cipher suites that can be used for SSL. I am not sure which one ESXI uses exactly. However, if a security solution doesn't have the ability to handle a specific cipher being requested by a service, they will attempt to downgrade the connection to a lower (less secure) cipher that they can work with. For example, an ECDHE cipher might be downgraded to RSA 128. This then allows the security solution to decrypt the traffic and inspect the traffic to make sure there is no malicious content. 

This is what I assume is happening in your scenario. Unfortunately some services will not accept a downgrade in the cipher suite used in order to maintain security. Lower grade ciphers are also easier for criminals to break, so if a MITM attack is in play, a weak cipher can make it easier for them to view/change the traffic. 

 

With most consumer based security solutions, its often the case that exclusions don't actually completely exclude traffic. Or, in order for it to be successful, exclusions need to set up in multiple sections of the settings. E.g. Exclusions may be set for file anti virus activities, but still be enabled for IPS or Firewall components. Which means it will still intercept traffic for some of the functionality. You can usually get it to an operational point but it can require a lot of tweaking. Keep an eye out for browser plugins too. 

 

Hope this helps. 

[mikat]

I don't think this is a good solution but it will probably work: try using internet explorer since it's outdated and will probably accept the less secure ssl