Disabling static ciphers for TLS in ESXi
search cancel

Disabling static ciphers for TLS in ESXi

book

Article ID: 320798

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • A security scan reports "static TLS ciphers" or "non-ephemeral TLS ciphers" as an area of concern.
  • This includes ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_128_GCM_SHA256.

Environment

VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0

Cause

This issue occurs as the TLS protocol uses an RSA key within the TLS handshake to affirm identity, and with a "static TLS cipher" the same RSA key is used to encrypt a premaster secret used for further encrypted communication. If the RSA private key were compromised, all previous communication could be decrypted. Newer TLS ciphers use Diffie-Hellman with ephemeral keys (DHE, ECDHE) to negotiate a one-time key so that previous communication cannot be decrypted in the event of key compromise. vSphere products have supported ephemeral key exchange since at least version 6.0.

Resolution

To resolve this issue, disable weak cipher algorithms.

Note: VMware presently does not consider static TLS ciphers as insecure, in alignment with current industry standards. Additionally, many older (legacy) software products in the enterprise Datacenter (For example, Java7) lack support for ephemeral key exchange and interoperability with such products would break if static TLS ciphers were to be disabled. As such, VMware does not recommend disabling static TLS ciphers.

 
Note: If you are adjusting ciphers on ESXi 8.0, 8.0-U1, or 8.0-U2 please also see KB article 312031 (Disable weak ciphers on ESXi 8.0, 8.0 U1 and 8.0 U2)

Note: This KB does not apply to 8.0 U3 and later, from 8.0 U3 vSphere use TLS profile to manage TLS configuration.


However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies.

For port 443 (HTTPS) on ESXi

  1. Connect to the ESXi host through SSH.
  2. Take a backup of /etc/vmware/rhttpproxy/config.xml file.
  3. Open the /etc/vmware/rhttpproxy/config.xml file in a text editor.
  4. Find a line containing <cipherList>. If it doesn't exit, the user can create it within the XML structure:

    <config>
    <vmacore>
    <ssl>
    <cipherList>...</cipherList>
    </ssl>
    </vmacore>
    </config>

  5. Replace with this line:

    <cipherList>!aNULL:ECDHE+AESGCM:ECDHE+AES</cipherList>
     
  6. For changes to take effect, restart the rhttpproxy service using this command:

    /etc/init.d/rhttpproxy restart

For port 5989 (CIM) on ESXi

  1. Connect to the ESXi host through SSH.
  2. Navigate to /etc/sfcb folder.
  3. Take a backup of the sfcb.cfg file.
  4. Open the sfcb.cfg file in a text editor.
  5. Add the below line:

    sslCipherList: ECDHE+AESGCM:ECDHE+AES
     
  6. Restart the CIM service by running this command:

    /etc/init.d/sfcbd-watchdog restart

Note: for 7.0U2 and later it is not possible to manually edit the /etc/sfcb.cfg as outlined in vSphere ESXi 7.0 U2 and later versions configuration files for sfcb "wbem" and snmp can no longer be edited
This can now be modified by running the following command and specifying the required cipher strings to be used E.g:

esxcli system wbem set --ssl-cipher-list=!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:ECDHE+AESGCM:ECDHE+AES

For port 8182 (FDM) on ESXi

Note: If your vCenter is 8.0-U3 or later but your ESXi hosts are 8.0-U2 or below then there is an identified issue with custom TLS ciphers not working. It is addressed in the ESXi 8.0-U3e release notes under heading PR 3461321.
Note: Starting in vCenter 8.0.2 the FDM configuration was moved to the Configuration Store (ConfigStore) as per KB article 313289

For ESXi hosts managed by a vCenter prior to 8.0-U2

  1. Connect to the ESXi host using SSH (Putty).
  2. Take a backup of /etc/opt/vmware/fdm/fdm.cfg file.
  3.  Open the /etc/opt/vmware/fdm/fdm.cfg file in a text editor.
  4. Find a line containing <ssl>
  5. Add the following line between the <ssl> and </ssl> tags:

    <cipherList>!aNULL:ECDHE+AESGCM:ECDHE+AES</cipherList>
  6. For changes to take effect, restart the vmware-fdm service using this command:

    /etc/init.d/vmware-fdm restart

 

For ESXi hosts managed by a vCenter 8.0-U2 and later

  1. Run this command:

    /bin/configstorecli config current  get -c ha -k fdm_service -g cluster -o fdm.json

    If this json is empty, do step 2. Otherwise, skip step 2

  2. /bin/configstorecli config default  get -c ha -k fdm_service -g cluster -o fdm.json

  3. Modify fdm.json. -> Modify vmacore, ssl section with desired settings, for example:

    "vmacore": {
      "ssl": {
         "cipher_list": "ECDHE+AESGCM",
         "curves_list": "secp521r1"
      },
    },

  4. Set the new config using:

    configstorecli config current set -g cluster -c ha -k fdm_service -infile fdm.json

  5. For changes to take effect, restart the vmware-fdm service using this command:

    /etc/init.d/vmware-fdm restart

 

For port 9080 (iofilterVP) on ESXi

  1. Connect to ESXi with SSH.
  2. Stop iofiltervpd with this command: 

    /etc/init.d/iofiltervpd stop
     
  3. Modify advanced option /UserVars/ESXiVPsAllowedCiphers with this command:

    esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s !aNULL:ECDHE+AESGCM:ECDHE+AES
     
  4. Start iofiltervpd with command: 

    /etc/init.d/iofiltervpd start
     
  5. Once this is completed, you may need to go to the vSphere Client under Storage Providers, and perform a re-registration of the IOFilterVP.

    Notes: If you want to also disable CBC ciphers and only use GCM ciphers, instead of !aNULL:ECDHE+AESGCM:ECDHE+AES, use !aNULL:ECDHE+AESGCM. VMware has not tested this specific configuration, and it is recommended to have a backup/restore option available.


Additional Information

Powered by Wolken Software