Disabling TLS ciphers on vCenter
Article ID: 402714
Updated On:
Products
Issue/Introduction
- Security scanners may report the following TLS ciphers as weak on vCenter Server ports 1514, 443, 5480, 5580, 636, 8084 and 9087
| IANA Name | OpenSSL Name |
| TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE-RSA-AES128-SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE-RSA-AES256-SHA |
Environment
vCenter Server 8.0 Update 3
Cause
- Default TLS profile on vCenter Server 8.0 Update 3 is set as "
COMPATIBLE" which supports all the below TLS Ciphers.
tls_rsa_with_aes_128_cbc_shatls_rsa_with_aes_128_gcm_sha256tls_rsa_with_aes_256_cbc_shatls_rsa_with_aes_256_gcm_sha384tls_ecdhe_rsa_with_aes_128_cbc_shatls_ecdhe_rsa_with_aes_256_cbc_sha
- To check what ciphers and TLS versions are currently enabled on vCenter, use the below command:
/usr/lib/vmware-vsr/bin/ssl_scanner --host localhost:443 | less
Resolution
Starting vCenter 8.0U3, TLS configuration is managed via TLS Profiles.
To disable the ciphers mentioned above, change the TLS profile to "NIST_2024" by referring to How to disable SHA1 TLS Ciphers - Managing TLS Profiles in vCenter 8.0 U3
Below are current available TLS profiles for vCenter Server 8.0 Update 3 are:
- NIST_2024
- COMPATIBLE
- COMPATIBLE-NON-FIPS
Note: Currently there is no "MANUAL" profile available for vCenter, and the existing profiles cannot be changed. You will find that the API Explorer for TLS commands does not provide the “PUT” command for “tls/profiles”, only “GET” commands to list what is already available.
Additional Information
For additional details related to TLS Configuration, refer vSphere TLS Configuration
Feedback
