VMware migration tool: we need your feedback!
-
Hi,
I'm not sure to understand why are you using XO CLI in the first place? Have you tried from the UI directly?
-
When I try the import from the UI directly I receive the following in the logs:
write EPROTO C0A77278D27F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:I am using Xen Orchestra from sources (commit 6fe79)
xo-server 5.116.3
xo-web 5.119.1 -
Sounds like very old SSL libs that are not supported anymore?
-
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
-
Let's wait to see if @florent got an idea
-
@andyh said in VMware migration tool: we need your feedback!:
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
I have some work to do on the SSL ( the current implementation of the lib have some serious limit) , I will try to handle this at the same time.
-
@florent thanks for the response
-
@andyh hi
could you tests this branch : https://github.com/vatesfr/xen-orchestra/pull/6859
I rewrote the https handling, and I 'm curious of the behaviour with older host
regards
closed feat(node-vsphere-soap): security improvements #6859
-
@florent Thanks for reaching out
Updated XO from Sources to the commit from the branch.
When I attempt the import from VMware, the process doesn't show an error in the UI and the connect process button looks to spin. However, checking the logs I see the following error (with skip SSL enabled or disabled)
write EPROTO C0F754130E7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987: -
@andyh I tried to disable TLS V2, can you
pull --rebaseand retry ?if it doesn't work, could you check the tls level of your esxi host ?
https://stackoverflow.com/questions/40557031/command-prompt-to-check-tls-version-required-by-a-host
especiallycurl -Iiv --tlsv1.1 https://example.comI have
* ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.on my esxi 6 host
-
Thanks for the quick response, the same error looks to persist.
Running the curl command gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS alert, protocol version (582): * error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol * Closing connection 0 curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocolPerforming the same check with -tlsv1.0 gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.Not sure if this helps.
-
Hi!
I am having a similar problem to @andyh
Our VMWare is v5.5, xoa CLI throws:"result": { "message": "Client network socket disconnected before secure TLS connection was established", "name": "Error", "stack": "Error: Client network socket disconnected before secure TLS connection was established\n at Function.AxiosError.from (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/adapters/http.js:591:25)\n at RedirectableRequest.emit (node:events:527:28)\n at RedirectableRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at ClientRequest.eventHandlers.<computed> (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:527:28)\n at ClientRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at TLSSocket.socketErrorListener (node:_http_client:454:9)\n at TLSSocket.emit (node:events:527:28)\n at TLSSocket.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at emitErrorNT (node:internal/streams/destroy:157:8)\n at emitErrorCloseNT (node:internal/streams/destroy:122:3)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)",While webUI stucks on "Connect" with no apparent logs present..
When checking tls level of my esxi host:
localhost:~ # openssl s_client -connect www.google.com:443 -tls1 CONNECTED(00000003)Will there be a support for older versions of ESXi? Or maybe I am doing something wrong. Thanks in advance!
-
@akaylee we brole rejectUnauthorized ( handling of self signed certificate) During the upgrade of node-vpshere-soap, the fixes are coming and it should also work on 5.5
the first one have been merged and should allow you to list the VM on the host. Does it work ?
-
@florent it doesn't seem to work, still stuck on 'Connect', 20 minutes elapsed
-
@akaylee what is your current commit ?
this is the right one : 0f0c0ec -
@florent sorry, overlooked!
Yes, I was able to connect to my esxi host after updating to 0f0c0ec, testing migration right now
Thank you! -
@florent Just updated from sources, but my latest commit looks to be 0f0c0ec0d. Have I missed something ?
-
@andyh that's ok, I only pasted the start of the hash
As long as you're up to date on master, it should work (also it does not disable certifictae check for the whole process now )
-
@florent I still look to be receiving the same error, after updating to 0f0c0ec
write EPROTO C0D7ADA7B77F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:Any further thoughts?
-
Gave this is a try earlier with some changes to my openssl.cnf
Sadly still coming across the same error, is there a minimum ESXi version that the import tool will connect to ?
