SSL Certificates and
Security
The VDDK 5.1 release and later were security
hardened, with virtual machines set to check SSL certificates.
On Windows VDDK 5.1 and 5.5 required the
VerifySSLCertificates and InstallPath registry keys under
HKEY_LOCAL_MACHINE\SOFTWARE
to
check SSL certificates. On Linux VDDK 5.1 and 5.5 required adding a line to the
VixDiskLib_InitEx
configuration
file to set
linuxSSL.verifyCertificates
= 1.
As of VDDK 6.0 both SSL certificate verification and SSL thumbprint
checking are mandatory and cannot be avoided. The Windows registry and Linux SSL setting
are no longer checked, so neither has any effect.
Specifically VDDK 6.0 and later use X.509
certificates with TLS cryptography, replacing SSLv3.
The following library functions enforce SSL
certificate checking:
InitEx
,
PrepareForAccess
,
EndAccess
,
GetNfcTicket
, and the
GetRpcConnection
interface that
is used by all advanced transports. SSL verification may use thumbprints to
check if two certificates are the same. The vSphere thumbprint is a
cryptographic hash of a certificate obtained from a trusted source such as
vCenter Server, and passed in the
SSLVerifyParam
structure of the
NFC ticket.