Thursday, January 21, 2016

Things to note when upgrading to 5.5u3b and 6.0u1 (SSLv3 now disabled)

I'll focus on 5.5u3b since it's the most popular ESxi version out today.

This is verbatim from the 5.5U3b release note

What's New

  • Updated Support for SSLv3 protocol is disabled by default
    Note: In your vSphere environment, you need to update vCenter Server to vCenter Server 5.5 Update 3b before updating ESXi to ESXi 5.5 Update 3b. vCenter Server will not be able to manage ESXi 5.5 Update 3b, if  you update ESXi before updating vCenter Server to version 5.5 Update 3b. For more information about the sequence in which vSphere environments need to be updated, refer KB 2057795.

  • VMware highly recommends you to update ESXi hosts to ESXi 5.5 Update 3b while managing them from vCenter Server 5.5 Update 3b.

    VMware does not recommend re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable SSLv3, you need to enable the SSLv3 protocol for all components. For more information, refer KB 2139396
This of course causes issues which you need to be aware of:

1) You HAVE to patch vcenter first! Yes this is a best practice, but I know a lot of people just patch their hosts. Revisit this and plan patching your vCenter first, then your host
2) This has consequences with other software! For example, Veeam has a KB out (KB2063) that explains you have to upgrade to Veeam 8 update 3 for TLS to be supported.
3) If you don't do this today, always read the release notes. When 5.5u3b first came out, there weren't big warning signs like the above. VMware has done a good job of putting alerts now when you download this version and in updating KBs, but no one does the job of preparing for this but yourself, the system administrator.

Thats's one of the biggest gotchas i've seen in a good while - keep up to date :D

No comments:

Post a Comment