Understanding the support for 3des-cbc or 3des-ctr algorithms in vCenter 8.0 U3
search cancel

Understanding the support for 3des-cbc or 3des-ctr algorithms in vCenter 8.0 U3

book

Article ID: 424613

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The objective of this Knowledge Base article is to provide information on support for 3des-cbc or 3des-ctr algorithms in vCenter 8.0 U3.

Environment

vCenter 8.0 U3

Resolution

In vCenter 8, specifically starting with version 8.0 Update 3, 3DES (Triple DES) algorithms like 3des-cbc and 3des-ctr are generally unsupported or disabled by default for most secure communication channels (TLS and SSH). This is due to 3DES being classified as a "weak" or "legacy" cipher (vulnerable to the Sweet32 attack). vSphere 8 has shifted toward more secure defaults, such as AES-GCM and AES-CTR.

Profile Name 3DES Support Description
NIST_2024 No The most restrictive; only allows high-strength ciphers (AES-GCM).
COMPATIBLE No Default for vCenter 8. Supports TLS 1.2 and 1.3 but excludes weak ciphers like 3DES.
MANUAL User-defined Allows you to explicitly enable older ciphers if you have legacy requirements, though this is discouraged.

 

To identify the currently used TLS profile for vCenter, please refer - Manage the TLS Profile of a vCenter Server Host

Note: Unlike TLS profile for ESXi host which could be managed by vSphere Configuration Profiles or esxcli commands, the vCenter Server profiles are managed via APIs

Additional Information

For security scanners reporting TLS ciphers as weak on vCenter Server ports 1514, 443, 5480, 5580, 636, 8084 and 9087 , please refer -  Disabling TLS ciphers on vCenter

Powered by Wolken Software