Disabling static ciphers for TLS in the vCenter Server appliance
search cancel

Disabling static ciphers for TLS in the vCenter Server appliance

book

Article ID: 322335

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:


A security scan reports "static TLS ciphers" or "non-ephemeral TLS ciphers" as an area of concern.
This includes, but not limited to, ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_128_GCM_SHA256.
3rd party security scans or audits request that VMware Administrators disable specific ciphers that are deemed "weak" and "not secure", often having deadlines to complete this request.

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

This issue occurs as the TLS protocol uses an RSA key within the TLS handshake to affirm identity, and with a "static TLS cipher" the same RSA key is used to encrypt a premaster secret used for further encrypted communication. If the RSA private key were compromised, all previous communication could be decrypted. Newer TLS ciphers use Diffie-Hellman with ephemeral keys (DHE, ECDHE) to negotiate a one-time key so that previous communication cannot be decrypted in the event of key compromise. vSphere products have supported ephemeral key exchange since at least version 6.0.

Resolution

To resolve this issue, disable weak cipher algorithms.

Note: VMware presently does not consider static TLS ciphers as insecure, in alignment with current industry standards. Additionally, many older (legacy) software products in the enterprise Datacenter (For example, Java7) lack support for ephemeral key exchange and interoperability with such products would break if static TLS ciphers were to be disabled. As such, VMware does not recommend disabling static TLS ciphers.

However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies. It is recommended that backups are taken prior to disabling any ciphers as VMware cannot guarantee full interoperability across all products that interact with vCenter Server after disablement.


Prior to performing the below instructions, it is important backups have been taken for the vCenter Server appliance. At minimum, ensure you have a backup of the following file to restore to - /etc/vmware-rhttpproxy/config.xml

Ciphers to enable/disable are located in the following file: /etc/vmware-rhttpproxy/config.xml

The 'cipherList' tag is not populated by default, and would need to insert the following tags <cipherList></cipherList> within the .xml as below:

Example layout:

 <config>
   ...
   <vmacore>
  ...
  <ssl>
    ...
    <cipherList>list of cipher strings</cipherList>
    ...
  </ssl>
  ...
   </vmacore>
   ...
 </config>
 
For vCenter Server 8.0u3, use API to manage TLS:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-A5FBEA1A-3680-4562-970C-58F419BDCDC8.html#GUID-A67269F2-D893-472B-A2FE-39B5CF130254
 
For vCenter Server 7.0U3q and vCenter Server 8.0U2d and later:
 
Add the following cipher list to the configuration file /etc/vmware-rhttpproxy/config.xml to restrict the ciphers : 
<cipherList>ECDHE+AESGCM</cipherList>
Note: Only following ciphers will be enabled on Port 443 after setting above cipherlist:
 
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
 
 
For versions prior to vCenter Server 7.0U3q and vCenter Server 8.0U2d:

The ciphers are populated in one line, with the format defined as:

<cipherList>{operator}{cipher string}:{operator}{cipher string}:{operator}{cipher string}</cipherList>

 Operator "!" used to disable a cipher
 ":" must separate each definition
 
 Note: There are additional operators, but for the purpose of this KB article you will be using strictly "!" or none

Example: <cipherList>!aNULL:ECDH+AES:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHAC</cipherList>

Use the "!" operator infront of any cipher you wish to disable. Once complete, save changes to /etc/vmware-rhttpproxy/config.xml

Restart rhttpproxy for the changes to apply: vmon-cli -r rhttpproxy

Validating via OpenSSL
========================

Testing if the Cipher is enabled:

Command: openssl s_client -cipher <cipher> -connect <vCenter_IP>:443

Output to expect:

 New, TLSv1/SSLv3, Cipher is <cipher specificed in command above>
 Server public key is 2048 bit
 Secure Renegotiation IS supported

....

    Start Time: 1630678292
    Timeout : 300 (sec)
    Verify return code: 0 (ok)

If the cipher is disabled, the following output would likely show:

CONNECTED(00000003)
140521094973088:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 99 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Additional Information

An example of the ciphers to add to the configuration file can be referred to below:

<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>


Powered by Wolken Software