Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443. This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise Datacenter may break if these weak TLS ciphers were to be disabled. As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies.
VMware vSphere ESXi 8 Update1
VMware vSphere ESXi 8 Update 2
Follow the below steps to resolve this issue:
Port 443: Below steps applicable only for Esxi 8.0
Add the below line:
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>
/etc/init.d/rhttpproxy restart
Port 443: Follow below steps for Esxi 8 Update1 and Update2
- Run the command to create a temporary JSON file containing rhttpproxy config options:
/bin/configstorecli config current get -c esx -g services -k rhttpproxy -outfile tmp.json
- Run the command to edit the file:
/bin/vi tmp.json
- Add the following configuration options to the temporary JSON file to disable CBC ciphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA are listed as weak ciphers
Only add this to newly created file
{
"vmacore": {
"ssl":{
"cipher_list": "ECDHE+AESGCM"
}
}
}
Press ESC and type :wq to save file
- Run the command to apply the file to the Database:
/bin/configstorecli config current set -c esx -g services -k rhttpproxy -infile tmp.json
- Run the command to restart rhttpproxy service:
/etc/init.d/rhttpproxy restart
Port 8182:
Add the below line:
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>
/etc/init.d/vmware-fdm restart
Port 9080:
esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Please note: This kb does not apply to 8.0 U3 and later, from 8.0 U3 vSphere use TLS profile to manage TLS configuration. Reference doc - https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-82028A21-8AB5-4E2E-90B8-A01D1FAD77B1.html