How to disable TLS 1.0 and 1.1 for the Cloud Director 10.2.2.x and 10.3.x Appliance Embedded Database
search cancel

How to disable TLS 1.0 and 1.1 for the Cloud Director 10.2.2.x and 10.3.x Appliance Embedded Database

book

Article ID: 320431

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • Security Vulnerability Scans run against Cloud Director 10.2.2.x and 10.3.x show results pertaining to the use of TLS with the Embedded Appliance Database
  • The VMware Postgres (vPostgres) database used with Cloud Director 10.2.2.x and 10.3.x shows on Vulnerabilty Scans for TLS 1.0 and 1.1
  • Security vulnerabilities are showing that the vPostgres version used by the Cloud Director 10.2.2.x and 10.3.x Appliance requires TLS 1.0 and 1.1 to be disabled.


Environment

VMware Cloud Director 10.x

Resolution

TLS 1.0 and 1.1 are not disabled by default with the Embedded Database for the VMware Cloud Director 10.2.x and 10.3.x Appliance.

To disable TLS 1.0 and 1.1 please use the workaround specified in the Workaround section.

Workaround:
  1. Open the SSH session to all nodes (both primary and standby cells).
  2. Add the following to “/var/vmware/vpostgres/10/pgdata/postgresql.auto.conf” on each Appliance (both primary and standby cells)
ssl_prefer_server_ciphers = true
ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
 
  1. Restart the vPostgres service on each Appliance: systemctl restart vpostgres.
  2. Restart the Cloud Director service on each Appliance: systemctl restart vmware-vcd.


Powered by Wolken Software