Disable older TLS/SSL cipher suites in Aria Suite Lifecycle 8.x
Article ID: 379746
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
Instructions on how to disable older TLS/SSL cipher suites in Aria Suite Lifecycle 8.x
Environment
VMware Aria Suite Lifecycle 8.x
Cause
By default nginx is configured to exclude all ciphers with no authentication and include ciphers that use ECDHE for key exchange and AES as the bulk encryption algorithm.
nginx default configuration:
ssl_ciphers !aNULL:ECDHE+AES;ciphers included :
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Resolution
To disable a specific cipher:
- Snapshots are required of the VMware Aria Suite Lifecycle appliance before following the steps below, reference: Managing snapshots in vSphere Web Client
- Stop the nginx.service with the following command:
systemctl stop nginx.service - Open the Nginx SSL configuration file located at
/etc/nginx/ssl.confwith a text editor. - Replace the line:
ssl_ciphers !aNULL:ECDHE+AES;
with one the following configuration :
TLS name Cipher configuration to disable CBC suite (all weak ciphers) ssl_ciphers !aNULL:ECDHE+AES:!CBC;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES256-SHA384;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES128-SHA256;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES256-SHA;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl_ciphers !aNULL:ECDHE+AES:!ECDHE-RSA-AES128-SHA; - Start the nginx.service again with the following:
systemctl start nginx.service
Feedback
Yes
No
Powered by
