SSL Sessions Not Authenticated By VMware VC Clients
23 Nov. 2006
Summary
VMware VirtualCenter client does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack.
Credit:
The information has been provided by vmware.
To ensure a secure channel of communication, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Both the client and server need certificates from a mutually-trusted Certificate Authority (CA).
However, certificate verification is not enabled by default for the clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1, you must specifically enable server-certificate verification on theWindows client hosts.
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the x.509 certificate presented by a server to a client at the beginning of an SSL session is not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue for Windows client hosts.
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of the servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software that lets you connect to and manage ESX Server hosts directly, or through a VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you connect to and manage ESX Server 2.x hosts through a VirtualCenter Server host (1.x version).
