Disabling static ciphers for TLS in the vCenter Server appliance (Legacy builds only)
Article ID: 322335
Updated On:
Products
Issue/Introduction
This includes, but not limited to, ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_128_GCM_SHA256.
3rd party security scans or audits request that VMware Administrators disable specific ciphers that are deemed "weak" and "not secure", often having deadlines to complete this request.
Environment
Cause
This issue occurs as the TLS protocol uses an RSA key within the TLS handshake to affirm identity, and with a "static TLS cipher" the same RSA key is used to encrypt a premaster secret used for further encrypted communication. If the RSA private key were compromised, all previous communication could be decrypted. Newer TLS ciphers use Diffie-Hellman with ephemeral keys (DHE, ECDHE) to negotiate a one-time key so that previous communication cannot be decrypted in the event of key compromise. vSphere products have supported ephemeral key exchange since at least version 6.0.
Resolution
To resolve this issue, disable weak cipher algorithms.
Note: VMware presently does not consider static TLS ciphers as insecure, in alignment with current industry standards. Additionally, many older (legacy) software products in the enterprise Datacenter (For example, Java7) lack support for ephemeral key exchange, and interoperability with such products would break if static TLS ciphers were to be disabled. As such, VMware does not recommend disabling static TLS ciphers.
However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies. It is recommended that backups be taken prior to disabling any ciphers, as VMware cannot guarantee full interoperability across all products that interact with vCenter Server after disablement.
Before performing the below instructions, please ensure backups or a proper snapshot of the vCenter Server VM have been taken.
For vCenter Server 8.0u3, use API to manage TLS profiles:
The below steps are for legacy builds.
- The method of managing TLS ciphers by editing the config.xml as outlined in this article is not supported by vCenter 8.0 U3. It is required to use the new method of TLS profiles.
Ports 443, 9087, 8084:
Ciphers to enable/disable are located in the following file: /etc/vmware-rhttpproxy/config.xml
The 'cipherList' tag is not populated by default, and would need to insert the following tags <cipherList></cipherList> within the .xml as below:
Example layout:
<config>
...
<vmacore>
...
<ssl>
...
<cipherList>list of cipher strings</cipherList>
...
</ssl>
...
</vmacore>
...
</config>
/etc/vmware-rhttpproxy/config.xml to restrict the ciphers :<cipherList>ECDHE+AESGCM</cipherList>Note: Only the following ciphers will be enabled on Port 443 after setting the above cipherlist:
ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256The ciphers are populated in one line, with the format defined as:
<cipherList>{operator}{cipher string}:{operator}{cipher string}:{operator}{cipher string}</cipherList>
":" must separate each definition
Note: There are additional operators, but for this KB article we will be using strictly "!" or none
Example: <cipherList>!aNULL:ECDH+AES:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHAC</cipherList>
Use the "!" operator in front of any cipher you wish to disable. Once complete, save changes to /etc/vmware-rhttpproxy/config.xml
Restart rhttpproxy for the changes to apply:
vmon-cli -r rhttpproxy
Port 636:
- Connect to vCenter Server via SSH
- Execute Likewise Shell (
lwregshell)
/opt/likewise/bin/lwregshell - Change path to VMDIR Paramters
cd HKEY_THIS_MACHINE\Services\vmdir\Parameters - Add the required SSL cipherlist
e.g., add_value "SslCipherSuite" REG_SZ "!aNULL:ECDH+AES:!RSA+AES:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:@STRENGTH" - Execute the 'ls' command to check if the above value is updated
ls - Exit from Likewise Shell
exit - Restart the
vmdirdservice
service-control --stop vmdird service-control --start vmdird
Port 5480:
- Connect to the vCenter Server using SSH (eg, Putty).
- Navigate to the "
/etc/applmgmt/appliance/"
cd /etc/applmgmt/appliance/ - Take a backup of
lighttpd.conffile.cp lighttpd.conf lighttpd.conf_backup - Update '
ssl.cipher-list' in lighttpd.conf file with the required SSL cipher list,
e.g., ssl.cipher-list = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!AES256-SHA:!AES128-SHA" - Save and close the
lighttpd.conffile. - Restart the
vami-lighttpservice
service vami-lighttp restart
Port 5580:
- Connect to the vCenter Server using SSH (eg, Putty).
- Navigate to
/usr/lib/vmware-pod/bincd /usr/lib/vmware-pod/bin - Edit file
pod-twistd
vi pod-twistd - Locate
VMW_CIPHERS= ‘xxxx’ and configure the required ciphers
e.g, VMW_CIPHERS = '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!AES256-SHA:!AES128-SHA' - Restart the vmware-pod service
service vmware-pod restart
Note :
The ciphers provided above are only examples and may not match your requirements.
Please make sure you provide the list of ciphers as per your requirement and test them using openssl or nmap as shown in the Additional Information section below.
Additional Information
An example of the ciphers to add to the configuration file can be referred to below:
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>
Testing if the Cipher is enabled can be done using openssl or nmap :
Using openssl :
Command:
openssl s_client -cipher <cipher> -connect <vCenter_IP>:443Output to expect:
New, TLSv1/SSLv3, Cipher is <cipher specificed in command above>
Server public key is 2048 bit
Secure Renegotiation IS supported
....
Start Time: 1630678292
Timeout : 300 (sec)
Verify return code: 0 (ok)
If the cipher is disabled, the following output would likely show:
CONNECTED(00000003)
140521094973088:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 99 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONEUsing nmap ( This must be performed from a machine where nmap is installed ) :
Command :
nmap --script ssl-enum-ciphers -p <port number> <vCenter IP>Output to expect :
Nmap scan report for vcenter.domain.local ( 192.168.#.# )
Host is up (0.00076s latency).
PORT STATE SERVICE
5580/tcp open tmosms0
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
Feedback
