VMware vSphere ESXi 8.0
VMware vSphere ESXi 8.0U1
VMware vSphere ESXi 8.0U2
Follow the below steps to resolve this issue:
cd /etc/vmware/rhttpproxy
cp config.xml config.xml.bkp
vi config.xml
4. Go to the tag path <config><vmacore><ssl> and add the below line:
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>
5. For changes to take effect, restart the rhttpproxy service using the following command:
/etc/init.d/rhttpproxy restart
1. Run the command to create a temporary JSON file containing rhttpproxy config options in SSH of the ESXi:
/bin/configstorecli config current get -c esx -g services -k rhttpproxy -outfile tmp.json
2. Run the command to edit the file:
/bin/vi tmp.json
3. Add the following configuration options to the temporary JSON file to disable CBC ciphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA are listed as weak ciphers
Only add this to newly created file
{
"vmacore": {
"ssl":{
"cipher_list": "ECDHE+AESGCM"
}
}
}
4. Press ESC and type :wq to save file
5. Run the following command to apply the file to the Database:
/bin/configstorecli config current set -c esx -g services -k rhttpproxy -infile tmp.json
6. Run the command to restart rhttpproxy service:
/etc/init.d/rhttpproxy restart
1. Connect to the ESXi host using SSH (Putty)
2. Take a backup of /etc/opt/vmware/fdm/fdm.cfg file
cd /etc/opt/vmware/fdm/
cp fdm.cfg fdm.cfg.bkp
3. Open the /etc/opt/vmware/fdm/fdm.cfg file in a text editor
cd /etc/opt/vmware/fdm/
vi fdm.cfg
4. Add the below line and press ESC and type :wq to save file
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>
5. For changes to take effect, restart the vmware-fdm service using this command:
/etc/init.d/vmware-fdm restart
/etc/init.d/iofiltervpd stop
esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
/etc/init.d/iofiltervpd start