Disabling weak ciphers in vSphere Replication or Site Recovery Manager appliance
search cancel

Disabling weak ciphers in vSphere Replication or Site Recovery Manager appliance

book

Article ID: 312796

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article describes the steps to disable any weak ciphers in vSphere Replication VMware Site Recovery Manager and VMware Live Site Recovery

Environment

  • VMware Site Recovery Manager 8.x
  • VMware vSphere Replication 8.x
  • VMware Live Site Recovery 9.x
  • VMware vSphere Replication 9.x

Resolution

Follow the steps below to disable the weak ciphers:

  1. Log in vSphere Replication or Site Recovery Manager appliance.
  2. Edit /opt/vmware/envoy/conf/envoy-proxy.yaml.(9.0.2 and below version)
    /opt/vmware/etc/envoy/envoy-proxy.listeners.yaml --> (path in vLR 9.0.3 and above) Find following entry and remove unwanted ciphers:
    cipher_suites: "ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES"
    Note: There are two entries. Port 5480 and 443.
  3. Restart the envoy proxy service using the command  "systemctl restart envoy-proxy.service"

Note: Envoy proxy cipher suites are separated with colon.

Additional Information

Steps to validate the supported Cipher version.

Please use the below command to get the supported ciphers on the SRM/VR.

nmap --script ssl-enum-ciphers -p [port] [destination_name]

  • Port - Port that the service is listening on or to be scanned. Example 443 or 5480.
  • Destination_name is the name (FQDN) or the IP address of the target system. Example SRM/VR appliance.

Example: If you want to scan SRM on IP ###.*##.##.01, listening on port 443, the command to run would be  nmap --script ssl-enum-ciphers -p 443 ###.*##.##.01

 

Powered by Wolken Software