Host disconnect after ESXi 5.5 U3b (SSLv3 POODLE)

Today I was preparing a new blade chassis in an existing vCenter environment. After applying the predefined Critical Host Patches baseline (default task for new hosts), the hosts would not reconnect to vCenter.

Turns out VMware decided to disable SSLv3 for ESXi 5.5 Update 3b and higher, because of the POODLE vulnerability. The dependency is clearly stated in the release notes and in the VMware Product Interoperability Matrix below.

VMware Product Interoperability Matrix
Since the vCenter server was running a previous U3 version, the hosts would not reconnect. There’s no excuse for not reading the release notes before patching, but still I was somewhat surprised, since I can’t remember VMware ever creating an ESXi-vCenter version dependency in a minor (sub)release.

Google published the POODLE attack in October 2014, communication between VMware end-point components was never really at risk, since POODLE targets browsers.

Since I was unable to patch the vCenter server on short notice and I didn’t want to re-enable SSLv3 as per KB2139396, I decided to roll back the patch. Doing so is easy.

1. Reboot the ESXi host

2. On boot press Shift+R to enter recovery mode
ESXi recovery mode
3.
 Press Shift+Y to confirm rollback
Esxi recovery mode
4.
Enjoy your reconnected host

Leave a Reply

Your email address will not be published. Required fields are marked *