Disable weak ciphers on Esxi 8.x
search cancel

Disable weak ciphers on Esxi 8.x

book

Article ID: 312031

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443. This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise Datacenter may break if these weak TLS ciphers were to be disabled. As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies.

Environment

VMware vSphere ESXi 8 Update1

VMware vSphere ESXi 8 Update 2

Resolution

Follow the below steps to resolve this issue:

Port 443: Below steps applicable only for Esxi 8.0 

  1. Connect to the ESXi host using SSH (Putty).
  1. Take a backup of /etc/vmware/rhttpproxy/config.xml file.
  1. Open the /etc/vmware/rhttpproxy/config.xml file in a text editor and go to the tag path<config><vmacore><ssl>.

Add the below line:

<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>  

  1. For changes to take effect, restart the rhttpproxy service using this command:

/etc/init.d/rhttpproxy restart  

Port 443: Follow below steps for Esxi 8 Update1 and Update2

- Run the command to create a temporary JSON file containing rhttpproxy config options:

      /bin/configstorecli config current get -c esx -g services -k rhttpproxy -outfile tmp.json

- Run the command to edit the file:

     /bin/vi tmp.json

- Add the following configuration options to the temporary JSON file to disable CBC ciphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA are listed as weak ciphers

{
   "vmacore": {
      "ssl":{
         "cipher_list": "ECDHE+AESGCM"
      }
   }
}

- Run the command to apply the file to the Database:

    /bin/configstorecli config current set -c esx -g services -k rhttpproxy -infile tmp.json

- Run the command to restart rhttpproxy service:

    /etc/init.d/rhttpproxy restart

 

Port 8182:  

  1. Connect to the ESXi host using SSH (Putty).
  1. Take a backup of /etc/opt/vmware/fdm/fdm.cfg file.
  1. Open the /etc/opt/vmware/fdm/fdm.cfg file in a text editor. 

Add the below line: 

<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>

  1. For changes to take effect, restart the vmware-fdm service using this command:

/etc/init.d/vmware-fdm restart

 

Port 9080:

  1. Connect to ESXi host with SSH
  1. Stop iofiltervpd with command: /etc/init.d/iofiltervpd stop
  2. Modify advanced option /UserVars/ESXiVPsAllowedCiphers with command: 

esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDS

A-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK 

  1. Start iofiltervpd with command: /etc/init.d/iofiltervpd start