Just to share my findings about the subject... In our company after the POODLE vulnerability was discovered, SSL was banned completely, which caused lot of headache. I was hoping that with vCenter6 appliance SSL will no longer be enabled and Nessus scanner only shows that everything is OK, but that didn't happen. It found port 7444 still supports SSL which could be easily confirmed by running
openssl s_client -connect vc1:7444 -ssl3
To make the long story short :
In file /usr/lib/vmware-sso/vmware-sts/conf/server.xml , add "sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to the 2nd Connector, so that the file content looks like:
<?xml version="1.0"?>
<Server port="${base.shutdown.port}"
shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="com.springsource.tcserver.licensing.LicensingLifecycleListener"/>
<Listener className="com.springsource.tcserver.serviceability.deploy.TcContainerDeployer"/>
<Listener accessFile="${catalina.base}/conf/jmxremote.access"
authenticate="true"
bind="127.0.0.1"
className="com.springsource.tcserver.serviceability.rmi.JmxSocketListener"
passwordFile="${catalina.base}/conf/jmxremote.password"
port="${base.jmx.port}"
useSSL="false"/>
<GlobalNamingResources>
<Resource auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Executor maxThreads="300"
minSpareThreads="50"
name="tomcatThreadPool"
namePrefix="tomcat-http--"/>
<Engine defaultHost="localhost"
name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps"
autoDeploy="true"
deployOnStartup="true"
deployXML="true"
name="localhost"
unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
<Connector acceptCount="100"
connectionTimeout="20000"
executor="tomcatThreadPool"
keepAliveTimeout="60000"
maxKeepAliveRequests="-1"
port="${bio-custom.http.port}"
protocol="org.apache.coyote.http11.Http11Protocol"
redirectPort="${bio-custom.https.port}"/>
<Connector SSLEnabled="true"
acceptCount="200"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
connectionTimeout="20000"
executor="tomcatThreadPool"
keepAliveTimeout="60000"
keyAlias="ssoserver"
keystoreFile="${catalina.base}/conf/ssoserver.p12"
keystorePass="changeme"
keystoreType="PKCS12"
maxKeepAliveRequests="-1"
port="${bio-ssl-localhost.https.port}"
protocol="org.apache.coyote.http11.Http11Protocol"
redirectPort="${bio-ssl-localhost.https.port}"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
</Service>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
</Server>
After restarting the appliance, the openssl command should print something like this:
openssl s_client -connect vc1:7444 -ssl3
CONNECTED(00000003)
140422981498696:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1441025677
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
When I log into web client, navigate to System Configuration -> Nodes -> vcenter name -> Related objects (tab), I can all services in the 'Good' health, which makes be believe the modification didn't hurt anything.
Now the longer version - how I got there.
Since I couldn't find any 'how to' like doc to remediate the port, I started thinking and realized that after all it's just a linux box:) so I did netstat -lanp to find the process hanging on 7444. The process is vmware-stsd. In /etc , ls -laR | grep vmware-stsd showed there is vmware-stsd in init.d, so I looked inside. There are references to Tomcat appserver related stuff, which I am not familiar with . However I searched for .xml, .cfg, .conf and .prop and it gave /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties. I looked inside it and there was it - port 7444. Good, I googled a bit and found there should also be server.xml file using definitions from catalina.properties and defining some kind of HTTP listeners and their parameters - like on what ports the appserver listens and how (again, this is not my area:) . Then I just googled what to edit in that file on tomcat 7 to make it not allow SSL.