Disabling weak ciphers in vSphere Replication or Site Recovery Manager appliance
Article ID: 312796
Updated On:
Products
Issue/Introduction
This article describes the steps to disable any weak ciphers in vSphere Replication and Site Recovery Manager 8.4 or higher.
Symptoms:
The security tool found vSphere Replication and Site Recovery Manager 8.4 or higher utilized weak ciphers.
Environment
VMware Site Recovery Manager 8.4 and higher/newer.
VMware vSphere Replication 8.4 and higher/newer.
VMware Live Site Recovery 9.x
VMware vSphere Replication 9.x
Resolution
Currently, there is no resolution.
Workaround:
To workaround this issue, follow the steps below:
- Log in vSphere Replication or Site Recovery Manager appliance.
- Edit
/opt/vmware/envoy/conf/envoy-proxy.yaml. Find following entry and remove unwanted ciphers:cipher_suites: "ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES"
Note: There are two entries. Port 5480 and 443. - Restart the envoy proxy service using the command "
systemctl restart envoy-proxy.service"
Note: Envoy proxy cipher suites are separated with colon.
Additional Information
Steps to validate the supported Cipher version.
Please use the below command to get the supported ciphers on the SRM/VR.
nmap --script ssl-enum-ciphers -p [port] [destination_name]
- Port - Port that the service is listening on or to be scanned. Example 443 or 5480.
- Destination_name is the name (FQDN) or the IP address of the target system. Example SRM/VR appliance.
Example: If you want to scan SRM on IP ###.*##.##.01, listening on port 443, the command to run would be nmap --script ssl-enum-ciphers -p 443 ###.*##.##.01
Feedback
