By default nginx is configured to exclude all ciphers with no authentication and include ciphers that use ECDHE for key exchange and AES as the bulk encryption algorithm.

nginx default configuration:

ssl_ciphers !aNULL:ECDHE+AES;

ciphers included :

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

To disable a specific cipher:

1. Snapshots are required of the VMware Aria Suite Lifecycle appliance before following the steps below, reference:  Managing snapshots in vSphere Web Client 
   
   
2. Stop the nginx.service with the following command:



   systemctl stop nginx.service

3. Open the Nginx SSL configuration file located at /etc/nginx/ssl.conf with a text editor.
   
   
4. Replace the line:
   
   

   ssl_ciphers !aNULL:ECDHE+AES;

   
   with one the following configuration :
   
   

   TLS name Cipher configuration  to disable   CBC suite (all weak ciphers) ssl_ciphers !aNULL:ECDHE+AES:!CBC; TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES256-SHA384; TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES128-SHA256; TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES256-SHA; TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES128-SHA;

   
   
   
5. Start the nginx.service again with the following:
   
   

   systemctl start nginx.service

Note:

This workaround must be reapplied every time VMware Fleet Manager is upgraded. This is because the handshake will still occur, as VMware Cloud Foundation Fleet Manager 9.x maintains backward compatibility with TLS 1.2.