Disable/Enable NSX-T Manager Ciphers or TLS Settings
search cancel

Disable/Enable NSX-T Manager Ciphers or TLS Settings

book

Article ID: 319144

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

During a security audit or scan, or during regular use of the NSX-T API, you may find that certain TLS versions or encryption ciphers do not comply with your organization's security standards or needs.

Environment

VMware NSX-T Data Center
VMware NSX

Cause

VMware has always tried to follow industry standards when it comes to TLS and encryption ciphers for security purposes.  This article is meant to provide information on the TLS and cypher versions that are used and how to disable / enable specific ciphers or TLS versions.

Resolution

Host / Transport Node TLS/ciphers over port 1235 are not currently configurable in NSX-T.
Host control over port 1235 uses TLS v1.2.

You can modify the TLS versions and Cypher Suites allowed on NSX-T API and web services over port 443.
As of NSX-T 4.1.2 TLS v1.3 is available for Web and API and is enabled by default.
TLS v1.1 is still available and can be enabled, but is not recommended for common use.
 
You can verify the details of CIPHERS and TLS version being used for port 443 and 1235, with the nmap tool.
 
nmap -p 443 --script ssl-cert,ssl-enum-ciphers <NSX Manager IP>
 
To view the currently enabled cypher suites and status of TLS versions in NSX-T
 
Run the following GET API call in a restful application.
 
GET https://[NSX-Manager-IP]/api/v1/cluster/api-service
 
Alternatively you can run the GET call from a command line using curl.
 
curl -k -X GET -u admin https://[NSX-Manager-IP]/api/v1/cluster/api-service
 
 
The output will list all of the TLS versions and cypher suits and their status
 
{
  "session_timeout" : 0,
  "connection_timeout" : 30,
  "protocol_versions" : [ {
    "name" : "TLSv1.1",
    "enabled" : false
  }, {
    "name" : "TLSv1.2",
    "enabled" : true
  }, {
    "name" : "TLSv1.3",
    "enabled" : true
  } ],
  "cipher_suites" : [ {
    "name" : "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_128_CBC_SHA",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_128_CBC_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_256_CBC_SHA",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_256_CBC_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "enabled" : true
  }, {
    "name" : "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "enabled" : true
  }, {
    "name" : "TLS_AES_128_GCM_SHA256",
    "enabled" : true
  }, {
    "name" : "TLS_AES_256_GCM_SHA384",
    "enabled" : true
  }, {
    "name" : "TLS_CHACHA20_POLY1305_SHA256",
    "enabled" : true
  } ],
  "redirect_host" : "",
  "client_api_rate_limit" : 100,
  "global_api_concurrency_limit" : 199,
  "client_api_concurrency_limit" : 40,
  "basic_authentication_enabled" : true,
  "cookie_based_authentication_enabled" : true,
  "resource_type" : "ApiServiceConfig",
  "id" : "reverse_proxy_config",
  "display_name" : "reverse_proxy_config",
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_create_time" : 1729695939951,
  "_create_user" : "system",
  "_last_modified_time" : 1731517707186,
  "_last_modified_user" : "admin",
  "_revision" : 8
}
 
 
>>From UI we can disable TLS version 1.1 for that need to Navigate the Loadbalancer >SSL profile > custom 
>>If by default added in SSL profile we can remove that 
To change/disable the status of any cipher or TLS version, set the value of enabled to FALSE in the body you received from the GET call and use this as the body for a PUT.
 
Use a restful application to make the PUT call and also we can disable from the UI 
    1. Ensure you have application data type set to JSON.
    2. Paste the BODY from the GET call with your modifications.
    3. PUT api/v1/cluster/api-service
    4. Your output should be a copy of the body with your changes.
    5. Confirm the change by running the GET API call again.
 
Alternatively you can use a command line to issue the PUT using the curl command.
    1. Save the BODY of the GET call to a file.
      1. curl -k -X GET -u admin https://[NSX-Manager-IP]/api/v1/cluster/api-service > filename.json
    2. Make any desired modifications to the data in the file.
      1. curl -k -u admin -X PUT -H "Content-Type: application/json" -H "X-Allow-Overwrite: true" -d "@path/to/body/file" https://[manager-ip]/api/v1/cluster/api-service
    3. Your output should show your body with the changes you made.
    4. Confirm the change by running the GET API call from above.

 

Additional Information

TLS v1.1 has been deprecated and is not recommended for general use.

Decision to disable the existing CIPHERS and TLS version being used should be taken in accordance with the security requirement of customer organization or only after a known vulnerability identification in the environment.

Powered by Wolken Software