Unable to remove Ciphers below 256 bits on vCenter after upgrading to 8.0.U3
search cancel

Unable to remove Ciphers below 256 bits on vCenter after upgrading to 8.0.U3

book

Article ID: 375041

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Remove Ciphers below 256 bits for port 443.

Following this kb article will not remove all the Ciphers : https://knowledge.broadcom.com/external/article?legacyId=92473, we still see Cipher "TLS_AES_128_GCM_SHA256"

As per kb article : https://knowledge.broadcom.com/external/article/312033 MANUAL profile is not supported.

Environment

vSphere vCenter 8.0 U3 and above

Cause

MANUAL is not VMware-supported and is mainly intended for emergency/debugging. More specifically, this combination is untested to work across the VCF/vSphere stack.

Port 443 is behind Envoy and BoringSSL "hardcodes" TLS 1.3 cipher suites with no way to provide specific ciphers (See https://github.com/envoyproxy/envoy/issues/19548 ). So, even if the customer has either figured out to use non-FIPS TLS 1.3 in BoringSSL (via 8.0U2 KBs) or use say latest BoringSSL on VCF 9.0, they will not be able to drop `TLS_AES_128_GCM_SHA256` in Envoy since it always exposes a predefined list in the certified code.

Resolution

We do not recommend removing Cipher "TLS_AES_128_GCM_SHA256" since the cipher is specific to TLS 1.3 and has no known issues.

Additional Information

This applies for port 443 both on vCenter and ESXi