Disable weak ciphers on Esxi 8.0, 8.0 U1 and 8.0 U2
search cancel

Disable weak ciphers on Esxi 8.0, 8.0 U1 and 8.0 U2

book

Article ID: 312031

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443.
  • This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
  • VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise Datacenter may break if these weak TLS ciphers were to be disabled.
  • As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies.

Environment

VMware vSphere ESXi 8.0

VMware vSphere ESXi 8.0U1

VMware vSphere ESXi 8.0U2

Resolution

Follow the below steps to resolve this issue:

  • Port 443: Below steps applicable only for ESXi 8.0 
  1. Connect to the ESXi host using SSH (Putty)
  1. Take a backup of /etc/vmware/rhttpproxy/config.xml file
cd /etc/vmware/rhttpproxy
cp config.xml config.xml.bkp
  1. Open the /etc/vmware/rhttpproxy/config.xml file in a text editor
vi config.xml

     4. Go to the tag path <config><vmacore><ssl> and add the below line:

<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>

    5. For changes to take effect, restart the rhttpproxy service using the following command:

/etc/init.d/rhttpproxy restart

 

  • Port 443: Follow below steps for ESXi 8.0U1 and 8.0U2:


    1. Run the command to create a temporary JSON file containing rhttpproxy config options in SSH of the ESXi:

/bin/configstorecli config current get -c esx -g services -k rhttpproxy -outfile tmp.json


    2. Run the command to edit the file:

/bin/vi tmp.json


   3. Add the following configuration options to the temporary JSON file to disable CBC ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA are listed as weak ciphers
Only add this to newly created file
{
   "vmacore": {
      "ssl":{
         "cipher_list": "ECDHE+AESGCM"
      }
   }
}

   4. Press ESC and type :wq to save file

   5. Run the following command to apply the file to the Database:

/bin/configstorecli config current set -c esx -g services -k rhttpproxy -infile tmp.json


   6. Run the command to restart rhttpproxy service:

/etc/init.d/rhttpproxy restart

 

  • For Port 8182:  

   1. Connect to the ESXi host using SSH (Putty)
   2. Take a backup of /etc/opt/vmware/fdm/fdm.cfg file

cd /etc/opt/vmware/fdm/
cp fdm.cfg fdm.cfg.bkp


   3. Open the /etc/opt/vmware/fdm/fdm.cfg file in a text editor

cd /etc/opt/vmware/fdm/
vi fdm.cfg

   4. Add the below line and press ESC and type :wq to save file 

<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>

   5. For changes to take effect, restart the vmware-fdm service using this command:

/etc/init.d/vmware-fdm restart

 

  • For Port 9080:
  1. Connect to ESXi host with SSH
  2. Stop iofiltervpd with command: 
    /etc/init.d/iofiltervpd stop
  3. Modify advanced option /UserVars/ESXiVPsAllowedCiphers with command: 
esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK 
  1. Start iofiltervpd with command: 
    /etc/init.d/iofiltervpd start

Additional Information

  • NOTE: This KB does not apply to 8.0 U3 and later, from 8.0 U3 vSphere use TLS profile to manage TLS configuration.
  • Reference document: vSphere TLS Configuration