A security scan reports "static TLS ciphers" or "non-ephemeral TLS ciphers" as an area of concern.
This includes, but not limited to, ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_128_GCM_SHA256.
3rd party security scans or audits request that VMware Administrators disable specific ciphers that are deemed "weak" and "not secure", often having deadlines to complete this request.
This issue occurs as the TLS protocol uses an RSA key within the TLS handshake to affirm identity, and with a "static TLS cipher" the same RSA key is used to encrypt a premaster secret used for further encrypted communication. If the RSA private key were compromised, all previous communication could be decrypted. Newer TLS ciphers use Diffie-Hellman with ephemeral keys (DHE, ECDHE) to negotiate a one-time key so that previous communication cannot be decrypted in the event of key compromise. vSphere products have supported ephemeral key exchange since at least version 6.0.
To resolve this issue, disable weak cipher algorithms.
Note: VMware presently does not consider static TLS ciphers as insecure, in alignment with current industry standards. Additionally, many older (legacy) software products in the enterprise Datacenter (For example, Java7) lack support for ephemeral key exchange and interoperability with such products would break if static TLS ciphers were to be disabled. As such, VMware does not recommend disabling static TLS ciphers.
However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies. It is recommended that backups are taken prior to disabling any ciphers as VMware cannot guarantee full interoperability across all products that interact with vCenter Server after disablement.
An example of the ciphers to add to the configuration file can be referred to below:
<cipherList>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</cipherList>