Fail to run discovery on VMware vCenter

nagaeendra · ‎Sep 16, 2019

We are getting this error when querying vCenter server

Failed to retrieve contents from web service https://vcenterserver:443/sdk

An error occured in HTTP processing
In fsend call to WinHttpSendRequest: A security error occurred (12175)
One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server: The application experienced an internal error loading the SSL libraries.

Checked https://IPAddress:PortNumber/sdk/vimService.wsdl and https://IPAddress:PortNumber/MOB

Ports are open verified with MgsIPScan.

Appreciate if any other inputs / suggestion

statler · ‎Sep 16, 2019

Hi Nagaeendra,

Looks as if your vCenter is running on a newer OS that is not supporting TLS 1.0 anymore and your Beacon is running on Windows 7 still?

Windows 7 requires TLS 1.0 or SSL3 to be supported. See the following URLs for documentation and a fix from Microsoft:

https://social.technet.microsoft.com/Forums/en-US/e07aa2b7-abd4-4212-94b9-56cf73a91323/certificate-error-while-opening-excel-file?forum=officeitpro
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

stefange · ‎Sep 16, 2019

Hi,

This is probably to due the security settings on your server.

Can you verify the following setting in the registry?

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"

If value is dword:00000800, than TLS 1.2 is only enabled. When you change the value to dword:00000200 (TLS 1.1 enabled) than the scan will work probably again after a beacon engine restart.

Can you give this a try?

nagaeendra · ‎Sep 16, 2019

Thanks @ stefangeerars

It's a win 2012 server and don't have this keyword DefaultSecureProtocols under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

It only has Passport Test and Tracing Keys

stefange · ‎Sep 17, 2019

Hi,

Can you verify if you are using the SchUseStrongCrypto?

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\vx.x.xxxx]
"SchUseStrongCrypto"=dword:00000001

and did you set the Windows Schannel to disable for example TLS 1.0 and TLS 1.1?

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\

Stefan

nagaeendra · ‎Sep 17, 2019

Hi @stefange

Yes, verified SchUseStrongCrypto it is set to dword:00000001

No TLS 1.0 and TLS 1.1 are set to enable.

should SSL 2.0 and 3.0 be enabled or disabled.

Thanx

stefange · ‎Sep 17, 2019

Try adding the registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"

with value: dword:00000200

Stefan

nagaeendra · ‎Sep 18, 2019

Hi @stefange

Checked by adding dword:00000200
Doesn't throw me SSL error now by doesn't do discovery also
But on ESXquery I see
" Decryption operation failed
In fsend call to WinHttpSendRequest : A connection with the server could not be established (12029)
An error occured in HTTP processing
Failed to retrieve contents from web service https://vCenter server:443/sdk
BindingServer(ServerIP, proto=https, port=0) failed. "

mgunnels · ‎Sep 17, 2019

Question, Is the certificate on the vCenter server still valid?

nagaeendra · ‎Sep 17, 2019

Hi @ mgunnels

Yes, certificate on vCenter is valid. though root certificate authority are different between these 2 server (vCenter & FNMS server)