SSL Certificates and Security

The VDDK 5.1 release and later were security hardened, with virtual machines set to check SSL certificates.
On Windows VDDK 5.1 and 5.5 required the VerifySSLCertificates and InstallPath registry keys under
HKEY_LOCAL_MACHINE\SOFTWARE
to check SSL certificates. On Linux VDDK 5.1 and 5.5 required adding a line to the
VixDiskLib_InitEx
configuration file to set
linuxSSL.verifyCertificates
= 1.
As of VDDK 6.0 both SSL certificate verification and SSL thumbprint checking are mandatory and cannot be avoided. The Windows registry and Linux SSL setting are no longer checked, so neither has any effect.
Specifically VDDK 6.0 and later use X.509 certificates with TLS cryptography, replacing SSLv3.
The following library functions enforce SSL certificate checking:
InitEx
,
PrepareForAccess
,
EndAccess
,
GetNfcTicket
, and the
GetRpcConnection
interface that is used by all advanced transports. SSL verification may use thumbprints to check if two certificates are the same. The vSphere thumbprint is a cryptographic hash of a certificate obtained from a trusted source such as vCenter Server, and passed in the
SSLVerifyParam
structure of the NFC ticket.