Ciphers supported on ESX/ESXi and vCenter Server
Article ID: 322855
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Weak ciphers are defined based on the number of bits and techniques used for encryption. To detect supported ciphers on a specific port on ESX/ESXi hosts or on vCenter Server/vCenter Server Appliances, you can use certain open source tools such as OpenSSL by running the openssl s_client -cipher LOW -connect hostname:port command. In addition, you can use vulnerability scanners like Nessus to check SSL services on arbitrary ports.
Weak SSL encryption is detected on ESX/ESXi versions 4.0.x, 4.1 and ESXi version 5.x. However, by default both the vCenter Server and ESX hosts select the highest grade SSL or TLS cipher supported, for example, AES256-SHA.
Weak ciphers in VMware environments that result in the following situations:
- A security scan of VMware environment shows that weak SSL ciphers are detected.
- ESX or ESXi hosts fail a PCI scan due to weak ciphers being enabled.
- An audit of VMware environment discovers that the Virtual Center service supports a number of weak SSL ciphers.
- Nessus scans identify ESX hosts as supporting weak SSL ciphers.
Environment
VMware vCenter Server 5.0.x
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 5.1
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.7
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 4.1.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 5.1.x
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 5.1
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.7
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 4.1.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 5.1.x
Resolution
The following tables list the supported ciphers and their ports on ESX/ESXi and vCenter Server. These ciphers are based off of the VMware-built OpenSSL package that is shipped with vCenter Server (C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe in vSphere 6.0), vCenter Server Appliance (/usr/lib/vmware-openSSL/openssl in vSphere 6.0), and ESXi (/bin/openssl). VMware does not leverage the OpenSSL package shipped natively with SLES, and does not support individual cipher disablement with the below products.
ESX/ESXi
|
Supported Ciphers
|
RC4-MD5
|
RC4-SHA
|
AES128-SHA |
DES-CBC3-SHA
|
Suite B 1,2 |
| Port 443 | |||||
| ESX 4.0 |
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| ESX 4.0 Update |
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| ESX 4.1 |
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| ESXi 5.x |
Not Supported
|
Not Supported
|
Supported
|
Supported
|
Supported 2 |
| ESXi 6.0 | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| ESXi 6.5 | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| ESXi 6.7 | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
vCenter Server
| Supported Ciphers |
RC4-MD5
|
RC4-SHA
|
DES-CBC3-SHA
|
AES128-SHA
|
EDH-RSA-DES-CBC3-SHA
|
Suite B 1,2 |
| Port 443 | ||||||
| vCenter Server 4.0 |
Supported
|
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| vCenter Server 4.0 Update |
Supported
|
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| vCenter Server 4.1 |
Supported
|
Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| vCenter Server 5.x |
Not Supported
|
Not Supported
|
Supported
|
Supported
|
Not Supported
|
Not Supported |
| vCenter Server 6.0 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| vCenter Server 6.5 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| vCenter Server 6.7 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| Port 9087 and 8443 |
|
|
|
|
|
|
| vCenter Server 4.0 |
Supported
|
Supported
|
Supported
|
Not Supported
|
Supported
|
Not Supported |
| vCenter Server 4.0 Update |
Supported
|
Supported
|
Supported
|
Not Supported
|
Supported
|
Not Supported |
| vCenter Server 4.1 |
Supported
|
Supported
|
Supported
|
Not Supported
|
Supported
|
Not Supported |
| Port 9443 |
|
|
|
|
|
|
| vCenter Server 5.1 |
Not Supported
|
Not Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| vCenter Server 5.5 |
Not Supported
|
Not Supported
|
Supported
|
Supported
|
Supported
|
Not Supported |
| vCenter Server 6.0 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| vCenter Server 6.5 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
| vCenter Server 6.7 | Not Supported | Not Supported | Not Supported | Supported | Not Supported | Supported 2 |
Notes:
- For more information about cipher Suite B, see the article NSA Suite B Cryptography.
- The Suite B cipher suite includes:
ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256
For vSphere 7.0 information, see VMware vSphere 7.0 Default SSL/TLS Cipher Suites
Ensure weak SSL encryption is not detected
The best practices to mitigate the risk of weak SSL encryption being detected on ESX 3.0.x, 4.0.x, 4.1 as well as ESXi 4.1, 5.x and 6.0 are:
- Ensure that ESX hosts are not directly accessible by Internet and are protected by firewalls.
- Ensure that browsers are configured to not use weak ciphers to connect with ESX/ESXi hosts.
Feedback
Yes
No
Powered by
