Enabling non-FIPS TLS 1.3 on port 443 in ESX.
search cancel

Enabling non-FIPS TLS 1.3 on port 443 in ESX.

book

Article ID: 312033

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

TLS 1.3 is disabled by default on port 443 in ESX since reverse proxy is not, yet FIPS validated for TLS 1.3 usage. This article provides information on how to forcefully enable TLS 1.3 without FIPS on vSphere 8.0u2 and above.

Environment

VMware vSphere ESXi 8.0.x
VMware vSphere ESXi 8.0 Update 2 
VMware vSphere ESXi 8.0 Update 3

Resolution

For vSphere 8.0 Update 3 and above:

  • Starting with 8.0 Update 3, users will need to do an additional step, of changing the system-wide inbound TLS profile on ESXi to “MANUAL” before local edits to the configuration of rhttpproxy areis respected.
  • Please refer to this guide to change the TLS profile to “MANUAL” using either vSphere Client or Cli.
    Note: that ESXi needs to be rebooted to apply the “MANUAL” profile (This is done automatically when vSphere Client is used).
    Note that MANUAL profile is not supported.
    Continue to the below steps.

8.0U2 and Older Releases:
Based on the environment, either of the below two options can be used to change the proxy configuration to enable non-FIPS TLS1.3 on port 443:

 

Based on environment, either of the below two options can be used:

  • Change Cluster wide setting using vSphere Configuration Profiles

  • Change setting on Standalone hosts

Change Cluster wide setting using vSphere Configuration Profiles

Step I: Create a draft.
With the Draft Configuration feature in 8.0U2, cluster configuration can be edited using drafts. Please refer to Using vSphere Configuration Profiles to Manage Host Configuration at a Cluster Level documentation for details.

Step II:

In the Draft tab:
1. Select esx -> services -> rhttpproxy -> CONFIGURE SETTINGS                          
2. Select a) Show advanced settings -> b) rhttpproxy -> c) vmacore -> d) ssl
3. a) Set protocols to tls1.2, tls1.3.
    b) Save the draft
The UI screenshot for 2 & 3:


Step III: Apply the draft configuration.

To undo and remove tls1.3 support.
It is similar to the previous section, except that we delete the protocols configuration.
For vSphere 8.0 Update 3 and above, optionally, we can revert the TLS server profile from MANUAL to its previous value.

Change setting on Standalone hosts:

ssh into ESX and run the below commands to enable tls1.3 on port 443.

Step 1: Get current configuration to a json file.

[root@esx] configstorecli config current get -c esx -g services -k rhttpproxy-o rhttpproxy-cfg.json
Data written to rhttpproxy-cfg.json

Step 2: Edit JSON file, add protocols field like below.

If ssl/vmacore objects are already present, they need not be added again.

[root@esx] vi rhttpproxy-cfg.json
{
   "vmacore": {
      "ssl": {
         "protocols": "tls1.2, tls1.3"
      }
   }
}

Step 3: Set the new configuration.

[root@esx] configstorecli config current set -c esx -g services -k rhttpproxy -j rhttpproxy-cfg.json 
Set: Completed successfully

Step 4: Restart rhttpproxy to apply the configuration.

[root@esx] /etc/init.d/rhttpproxy restart
VMware HTTP reverse proxy stopped.
VMware HTTP reverse proxy started.

To undo and remove tls1.3 support.

This is similar to the previous section, except that in Step 2 we delete the protocols field in the JSON. If the parent objects ssl and vmacore do not have any other properties, they can be removed as well.
For vSphere 8.0 Update 3 and above, optionally, we can revert the TLS server profile from MANUAL to its previous value.

 
Workaround

There is no workaround.

Powered by Wolken Software