• Security scans may report "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" on ESXi for port 443. The scan typically flags one or more of the following CBC ciphers:
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
• While VMware aligns with industry standards regarding these ciphers for legacy compatibility, stricter TLS profiles can be configured to meet internal security hardening requirements (e.g., NIST compliance) and disable these specific CBC ciphers.

Default ESXi TLS profiles include legacy CBC cipher suites to maintain maximum compatibility and interoperability with older third-party solutions communicating over port 443. Strict security frameworks and vulnerability scanners may flag these legacy ciphers as weak.

To remove the flagged CBC ciphers, set the ESXi TLS profile to NIST_2024, NIST_2024_TLS_13_ONLY (for ESX 9.0 and later), or MANUAL with a restricted cipher list.

Warning: Restricting ciphers can impact compatibility and interoperability with third-party solutions communicating with the ESXi host outside of vSphere. Review third-party vendor documentation for supported ciphers before proceeding. The MANUAL configuration method is not recommended as improper cipher lists can break communication between core vSphere components.

1. Establish an SSH session to the ESXi host.
   
   
2. Review the currently configured TLS profile:
   
   esxcli system tls server get
   
   
3. Set the desired profile using one of the below methods:
   
   
   1. Use NIST_2024 (Recommended) :
      
      esxcli system tls server set -p NIST_2024
      
      
   2. Use NIST_2024_TLS_13_ONLY (for ESX 9.0 onwards):
      
      esxcli system tls server set -p NIST_2024_TLS_13_ONLY 
      
      
   3. Use Manual Profile with desired set of ciphers like  ECDHE+AESGCM (Not Recommended):
      
esxcli system tls server set -p MANUAL
esxcli system tls server set --cipher-list=ECDHE+AESGCM
      
      
4. Put the ESXi host to Maintenance mode ,thus migrating any active virtual machines out of it
   
   
5. Reboot the ESXi host to apply the new TLS profile configuration.
   
   
6. Validate the communication with third-party solutions(if any) post activation of the updated TLS profile with the desired ciphers
   
   
7. Exit Maintenance mode to migrate virtual machines back to the ESXi host

• For further details regarding TLS profiles and supported ciphers, refer to vSphere TLS Configuration for 8.0u3 and vSphere TLS Configuration for 9.0 
• For instructions on disabling ciphers on older ESXi versions, refer to Disable weak ciphers on Esxi 8.0, 8.0 U1 and 8.0 U2