Remove Ciphers below 256 bits for port 443.
Following this kb article will not remove all the Ciphers : https://knowledge.broadcom.com/external/article?legacyId=92473, we still see Cipher "TLS_AES_128_GCM_SHA256"
As per kb article : https://knowledge.broadcom.com/external/article/312033 MANUAL profile is not supported.
vSphere vCenter 8.0 U3 and above
MANUAL is not VMware-supported and is mainly intended for emergency/debugging. More specifically, this combination is untested to work across the VCF/vSphere stack.
Port 443 is behind Envoy and BoringSSL "hardcodes" TLS 1.3 cipher suites with no way to provide specific ciphers (See https://github.com/envoyproxy/envoy/issues/19548 ). So, even if the customer has either figured out to use non-FIPS TLS 1.3 in BoringSSL (via 8.0U2 KBs) or use say latest BoringSSL on VCF 9.0, they will not be able to drop `TLS_AES_128_GCM_SHA256` in Envoy since it always exposes a predefined list in the certified code.
We do not recommend removing Cipher "TLS_AES_128_GCM_SHA256" since the cipher is specific to TLS 1.3 and has no known issues.
This applies for port 443 both on vCenter and ESXi