Disabling weak TLS ciphers for port 443 in ESXi.
search cancel

Disabling weak TLS ciphers for port 443 in ESXi.

book

Article ID: 312031

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443. This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise Datacenter may break if these weak TLS ciphers were to be disabled. As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies.


Environment

VMware vSphere ESXi 8.0.1
VMware vSphere ESXi 8.0.x

Resolution

Follow the below steps to resolve this issue:

Disable weak cipher algorithms for port 443(HTTPS) on ESXi.
  • Connect to the ESXi host through SSH.
  • Run the command to create a temporary JSON file containing rhttpproxy config options:
/bin/configstorecli config current get -c esx -g services -k rhttpproxy -outfile tmp.json
  • Run the command to edit the file:
/bin/vi tmp.json
  • Add the following configuration options to the temporary JSON file to disable weak SHA1 and/or CBC ciphers:
{
   "vmacore": {
      "ssl":{
         "cipher_list": "ECDHE+AESGCM"
      }
   }
}
  • Run the command to apply the file to the Database:
     /bin/configstorecli config current set -c esx -g services -k rhttpproxy -infile tmp.json
  • Run the command to restart rhttpproxy service and pick up new config:
 /etc/init.d/rhttpproxy restart