Disable CBC ciphers on ESXi 8.0 U3 reported for port 443
Article ID: 377775
Updated On:
Products
Issue/Introduction
Disabling "Weak Message Authentication Code Cipher Suites" or "Weak Encryption Cipher Suites" reported by a security scan as an area of concern for ESXi port 443. This includes ciphers such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
VMware presently does not consider HMAC-SHA1 and CBC TLS ciphers as insecure, in alignment with current industry standards. Additionally, interoperability with older (legacy) software products in the enterprise data center may break if these weak TLS ciphers were to be disabled. As such, VMware does not recommend disabling these weak TLS ciphers. However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their security policies.
Below is a screenshot from a scan report for ESXi 8.0 U3
Environment
VMware vSphere ESXi 8.0 U3
Resolution
For the CBC cipher to be removed, set the TLS profile to NIST_2024 or MANUAL with the cipher list "ECDHE+AESGCM"
- Resolution 1:
- Take an SSH session to ESXi
- Run the below command to set the TLS profile to NIST_2024:
- esxcli system tls server set -p NIST_2024
- Reboot the host
- Resolution 2:
- Note:
- Take an SSH session to ESXi
- Run the below command to set the TLS profile to MANUAL
- esxcli system tls server set -p MANUAL
- Run the below command to set the cipher list
- esxcli system tls server set --cipher-list=ECDHE+AESGCM
- Reboot the host
Additional Information
Refer to the below documentation for more details:
For ESXi 8.0 8.0, 8.0 U1 and 8.0 U2, refer to https://knowledge.broadcom.com/external/article?articleNumber=312031
Feedback
