• Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443.
• This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
• VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise data center may break if these weak TLS ciphers were to be disabled.
• As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their security policies.
• Below is a screenshot from a scan report for ESXi 8.0 U3

VMware vSphere ESXi 8.0 U3

For the CBC cipher to be removed, set the TLS profile to NIST_2024 or MANUAL with the cipher list "ECDHE+AESGCM"

• Resolution 1:
  • Take an SSH session to ESXi
  • Run the below command to set the TLS profile to NIST_2024:

    • esxcli system tls server set -p NIST_2024

  • Reboot the host

• Resolution 2:
  
  • Take an SSH session to ESXi
  • Run the below command to set the TLS profile to MANUAL

    • esxcli system tls server set -p MANUAL

  • Run the below command to set the cipher list

    • esxcli system tls server set --cipher-list=ECDHE+AESGCM

  • Reboot the host

• Refer the documentation vSphere Security for more details
• For ESXi 8.0, 8.0 U1 and 8.0 U2 refer Disable weak ciphers on Esxi 8.0, 8.0 U1 and 8.0 U2