Does anyone know if this can be done via host profile for ESXi 6.7?
Hey,
In vSphere 6.7 TLS1.0 and TLS1.1 are disabled by default so no need to do it as you can see here: Managing TLS Protocol Configuration with the TLS Configurator Utility
"Starting with vSphere 6.7, only TLS 1.2 is enabled by default. TLS 1.0 and TLS 1.1 are disabled by default. Whether you do a fresh install, upgrade, or migration, vSphere 6.7 disables TLS 1.0 and TLS 1.1. You can use the TLS Configurator utility to enable older versions of the protocol temporarily on vSphere 6.7 systems. You can then disable the older less secure versions after all connections use TLS 1.2"
However if in future you want to enable some TLS protocols at least temporarily I recommend you to read that link from VMware Docs and learn how to do it with the TLS Configuration Utility.
i believe this is true for vcsa 6.7 but not for esxi 6.7
The host settings under
UserVars.ESXiVPsDisabledProtocols
still shows TLS 1.0/1.1 as enabled
I need to disable these
This advanced settings you are mentioning, "UserVars.ESXiVPsDisabledProtocols" has the protocols which are disabled.
It is for vSphere which means ESXi and vCenter, the whole suite. However keep reading and follow the next: Enable or Disable TLS Versions on ESXi Hosts.
Read it carefully because the place from where to run the script changes depending on your architecture.
There is no need to disable using Host Profile.
how do I check if my host is enabled for TLS 1.0/1.1?
I checked under advanced settings
UserVars.ESXiVPsDisabledProtocols and it shows sslv3, tlsv1, tls1.1
do i need to change anything?
so if I run this
reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2
and reboot my host
how do I verify that only 1.2 is enabled?
Hey @tdubb123,
That actually means that all the protocols mentioned there are disabled as those values mean disabled protocols under that settings.
So yes, you have TLS1.0 and TLS1.1 disabled. (Same with SSLv3)