This article provides the steps to verify the permitted and currently active TLS ciphers on VMware ESXi hosts 8.0 U3 or later using the SSL Cipher scanner inbuilt in vCenter Server 8.0 U3 and later. This assists vSphere administrators in reviewing and ensuring security compliance on their ESXi hosts.

VMware vSphere ESX 9.0
VMware vSphere ESXi 8.0 Update 3 

To actively scan and verify the ciphers currently in use on an ESXi host, follow the below steps:

1. Connect to the managing vCenter Server appliance via SSH using root
   
   

2. Execute the built-in SSL scanner utility against the target ESXi host on port 443 to fetch a list of accepted and rejected ciphers:
   
   /usr/lib/vmware-vsr/bin/ssl_scanner --host <esxi_fqdn_or_ip>:443 | less

Starting with ESXi 8.0 Update 3, VMware introduced TLS profiles to centrally manage TLS parameters and ciphers, eliminating the need to manually edit individual configuration files for most services. By default, the COMPATIBLE profile is used. ESXi 9.0 introduces an additional NIST_2024_TLS_13_ONLY profile.

For more details, refer to the following documentation:

• ESXi 8.0 Managing TLS Protocol Configuration

• ESXi 9.0 Managing TLS Protocol Configuration