Enabling non-FIPS TLS 1.3 on port 443 in ESX.
search cancel

Enabling non-FIPS TLS 1.3 on port 443 in ESX.

book

Article ID: 312033

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

TLS 1.3 is disabled by default on port 443 in ESX since reverse proxy is not, yet FIPS validated for TLS 1.3 usage. This article provides information on how to forcefully enable TLS 1.3 without FIPS on vSphere 8.0u2 and above.


Environment

VMware vSphere ESXi 8.0.x
VMware vSphere ESXi 8.0.2

Resolution

Based on environment, either of the below two options can be used:

  • Change Cluster wide setting using vSphere Configuration Profiles

  • Change setting on Standalone hosts

Change Cluster wide setting using vSphere Configuration Profiles

Step I: Create a draft.
With the Draft Configuration feature in 8.0U2, cluster configuration can be edited using drafts. Please refer to Using vSphere Configuration Profiles to Manage Host Configuration at a Cluster Level documentation for details.

Step II:

In the Draft tab:
1. Select esx -> services -> rhttpproxy -> CONFIGURE SETTINGS                          
2. Select a) Show advanced settings -> b) rhttpproxy -> c) vmacore -> d) ssl
3. a) Set protocols to tls1.2, tls1.3.
    b) Save the draft
The UI screenshot for 2 & 3:

enable-tls1.3-using-configuration-profiles.png

Step III: Apply the draft configuration.

To undo and remove tls1.3 support.
It is similar to the previous section, except that we delete the protocols configuration.

Change setting on Standalone hosts:

ssh into ESX and run the below commands to enable tls1.3 on port 443.

Step 1: Get current configuration to a json file.

[root@esx] configstorecli config current get -c esx -g services -k rhttpproxy-o rhttpproxy-cfg.json
Data written to rhttpproxy-cfg.json

Step 2: Edit JSON file, add protocols field like below.

If ssl/vmacore objects are already present, they need not be added again.

[root@esx] vi rhttpproxy-cfg.json
{
   "vmacore": {
      "ssl": {
         "protocols": "tls1.2, tls1.3"
      }
   }
}

Step 3: Set the new configuration.

[root@esx] configstorecli config current set -c esx -g services -k rhttpproxy -j rhttpproxy-cfg.json 
Set: Completed successfully

Step 4: Restart rhttpproxy to apply the configuration.

[root@esx] /etc/init.d/rhttpproxy restart
VMware HTTP reverse proxy stopped.
VMware HTTP reverse proxy started.


To undo and remove tls1.3 support.

This is similar to the previous section, except that in Step 2 we delete the protocols field in the JSON. If the parent objects ssl and vmacore do not have any other properties, they can be removed as well.


Workaround:

Currently there is no workaround.