When installed on a Windows XP or Windows Server 2003 host machine, the vSphere Client and vSphere PowerCLI may fail to connect to vCenter Server 5.5 due to a Handshake failure. vSphere 5.5 uses the Open SSL library, which, for security, is configured by default to accept only connections that use strong cipher suites. On Windows XP or Windows Server 2003, the vSphere Client and vSphere PowerCLI do not use strong cipher suites to connect with vCenter Server. This results in the error No matching cipher suite on the server side, and a Handshake failure on the vSphere Client or vSphere PowerCLI side.
To work around this issue, perform one of these options:
- For Windows Server 2003 or 64-bit Windows XP, apply the appropriate Microsoft hotfix:
- Platform: x64: http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351403_ENU_x64_zip.exe
- Platform: ia64: http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351397_ENU_ia64_zip.exe
- Platform: i386: http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351385_ENU_i386_zip.exe
For additional language options, request the appropriate file for Hotfix 19247 from Microsoft Support Hotfix Request.
Note: The preceding links were correct as of November 4, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.
- For Windows Server 2003, 64-bit Windows XP, or 32-bit Windows XP, perform one of these options:
- Before installing the vSphere Client or vSphere PowerCLI, upgrade the Windows operating system on the host machine to Windows Vista or later.
- On the vCenter Server 5.5 host machine, modify the vpxd.cfg to reduce the implied security by allowing the server to communicate using weak cipher suites:
For Windows-based vCenter Server
- Before installing the vSphere Client or vSphere PowerCLI, upgrade the Windows operating system on the host machine to Windows Vista or later.
-
-
- Connect to the vCenter Server using RDP.
- Navigate to the directory:
C:\ProgramData\VMware\VMware VirtualCenter\ - Backup the vpxd.cfg file. Do not skip this step.
- Open the vpxd.cfg file in a text editor
- Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file, for example:
<config>
...
<vmacore>
...
<ssl>
...
<cipherList>ALL</cipherList>
...
</ssl>
...
</vmacore>
...
</config> - Save and close the vpxd.cfg file.
- Restart the vCenter Server service for the setting to take affect. For more information, see Stopping, starting, or restarting vCenter services (1003895).
-
For the vCenter Server Appliance
-
-
- Connect to the vCenter Server Appliance via SSH. For more information, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance in the vCenter Server and Host Management Guide.
- Navigate to the directory:
/etc/vmware-vpx/ - Backup the vpxd.cfg file. Do not skip this step.
- Open vpxd.cfg file in a plan text editor
- Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file, For example:
<config>
...
<vmacore>
...
<ssl>
...
<cipherList>ALL</cipherList>
...
</ssl>
...
</vmacore>
...
</config> - Save and close the vpxd.cfg file.
- Restart the vCenter Server service for the change to take effect. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).
- On the ESXi 5.5 host, modify the rhttpproxy service to reduce the implied security by allowing the host to communicate using weak cipher suites:
For ESXi 5.5
-
-
-
- Connect to the host via SSH. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
- Navigate to the directory:
/etc/vmware/rhttpproxy/ - Backup the config.xml file. Do not skip this step.
- Open config.xml file using vi editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
- Add the <cipherList>ALL</cipherList> parameter between the <ssl>...</ssl> section of the configuration file. Use the model below as an example:
<config>
...
<vmacore>
...
<ssl>
<doVersionCheck> false </doVersionCheck>
<useCompression>true</useCompression>
<libraryPath>/lib/</libraryPath>
<handshakeTimeoutMs>120000</handshakeTimeoutMs>
<cipherList>ALL</cipherList>
</ssl>
...
</vmacore>
...
</config> - Save and close the config.xml file
- Reset the rhttpproxy service for the change to take effect by running the command:
/etc/init.d/rhttpproxy restart
-