Ciphers supported on ESX/ESXi and vCenter Server
search cancel

Ciphers supported on ESX/ESXi and vCenter Server

book

Article ID: 322855

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Weak ciphers are defined based on the number of bits and techniques used for encryption. To detect supported ciphers on a specific port on ESX/ESXi hosts or on vCenter Server/vCenter Server Appliances, you can use certain open source tools such as OpenSSL by running the openssl s_client -cipher LOW -connect hostname:port command. In addition, you can use vulnerability scanners like Nessus to check SSL services on arbitrary ports.
 
Weak SSL encryption is detected on ESX/ESXi versions 4.0.x, 4.1 and ESXi version 5.x. However, by default both the vCenter Server and ESX hosts select the highest grade SSL or TLS cipher supported, for example, AES256-SHA.
Weak ciphers in VMware environments that result in the following situations:
  • A security scan of VMware environment shows that weak SSL ciphers are detected.
  • ESX or ESXi hosts fail a PCI scan due to weak ciphers being enabled.
  • An audit of VMware environment discovers that the Virtual Center service supports a number of weak SSL ciphers.
  • Nessus scans identify ESX hosts as supporting weak SSL ciphers.
 


Environment

VMware vCenter Server 5.0.x
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 5.1
VMware vCenter Server Appliance 6.5.x
VMware vSphere ESXi 6.7
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 4.1.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 5.1.x

Resolution

The following tables list the supported ciphers and their ports on ESX/ESXi and vCenter Server. These ciphers are based off of the VMware-built OpenSSL package that is shipped with vCenter Server (C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe in vSphere 6.0), vCenter Server Appliance (/usr/lib/vmware-openSSL/openssl in vSphere 6.0), and ESXi (/bin/openssl). VMware does not leverage the OpenSSL package shipped natively with SLES, and does not support individual cipher disablement with the below products.

ESX/ESXi

Supported Ciphers
RC4-MD5
RC4-SHA

AES128-SHA

DES-CBC3-SHA
Suite B 1,2
Port 443     
ESX 4.0
Supported
Supported
Supported
Supported
Not Supported
ESX 4.0 Update
Supported
Supported
Supported
Supported
Not Supported
ESX 4.1
Supported
Supported
Supported
Supported
Not Supported
ESXi 5.x
Not Supported
Not Supported
Supported
Supported
Supported 2
ESXi 6.0Not SupportedNot SupportedSupportedNot SupportedSupported 2
ESXi 6.5Not SupportedNot SupportedSupportedNot SupportedSupported 2
ESXi 6.7Not SupportedNot SupportedSupportedNot SupportedSupported 2

vCenter Server

 
Supported Ciphers
RC4-MD5
RC4-SHA
DES-CBC3-SHA
AES128-SHA
EDH-RSA-DES-CBC3-SHA
Suite B 1,2
Port 443      
vCenter Server 4.0
Supported
Supported
Supported
Supported
Supported
Not Supported
vCenter Server 4.0 Update
Supported
Supported
Supported
Supported
Supported
Not Supported
vCenter Server 4.1
Supported
Supported
Supported
Supported
Supported
Not Supported
vCenter Server 5.x
Not Supported
Not Supported
Supported
Supported
Not Supported
Not Supported
vCenter Server 6.0Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
vCenter Server 6.5Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
vCenter Server 6.7Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
Port 9087 and 8443
 
 
 
 
 
 
vCenter Server 4.0
Supported
Supported
Supported
Not Supported
Supported
Not Supported
vCenter Server 4.0 Update
Supported
Supported
Supported
Not Supported
Supported
Not Supported
vCenter Server 4.1
Supported
Supported
Supported
Not Supported
Supported
Not Supported
Port 9443
 
 
 
 
 
 
vCenter Server 5.1
Not Supported
Not Supported
Supported
Supported
Supported
Not Supported
vCenter Server 5.5
Not Supported
Not Supported
Supported
Supported
Supported
Not Supported
vCenter Server 6.0Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
vCenter Server 6.5Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
vCenter Server 6.7Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2
 
Notes:
  1. For more information about cipher Suite B, see the National Security Agency article Suite B Cryptography and NSA Suite B Cryptography.
     
  2. The Suite B cipher suite includes: ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256

For related information, see VirtualCenter Server 2.5 Update 4 and later uses high-security SSL ciphers (1009408)vv and ESXi 5.0 disables nonsecure ciphers in Internet Explorer 6 (2003464).

For vSphere 7.0 information, see VMware vSphere 7.0 Default SSL/TLS Cipher Suites

Ensure weak SSL encryption is not detected

The best practices to mitigate the risk of weak SSL encryption being detected on ESX 3.0.x, 4.0.x, 4.1 as well as ESXi 4.1, 5.x and 6.0 are:
  • Ensure that ESX hosts are not directly accessible by Internet and are protected by firewalls.
  • Ensure that browsers are configured to not use weak ciphers to connect with ESX/ESXi hosts.

Additional Information

For translated versions of this article, see: