VMware Cloud Community
tdubb123
Expert
Expert
‎09-30-2020 06:02 AM

Disabling TLS 1.0/1.1 enable 1.2 via host profile?

Does anyone know if this can be done via host profile for ESXi 6.7?

0 Kudos
6 Replies
Lalegre
Virtuoso
Virtuoso
‎09-30-2020 08:13 AM

Hey,

In vSphere 6.7 TLS1.0 and TLS1.1 are disabled by default so no need to do it as you can see here: Managing TLS Protocol Configuration with the TLS Configurator Utility

"Starting with vSphere 6.7, only TLS 1.2 is enabled by default. TLS 1.0 and TLS 1.1 are disabled by default. Whether you do a fresh install, upgrade, or migration, vSphere 6.7 disables TLS 1.0 and TLS 1.1. You can use the TLS Configurator utility to enable older versions of the protocol temporarily on vSphere 6.7 systems. You can then disable the older less secure versions after all connections use TLS 1.2"

However if in future you want to enable some TLS protocols at least temporarily I recommend you to read that link from VMware Docs and learn how to do it with the TLS Configuration Utility.

0 Kudos
tdubb123
Expert
Expert
‎09-30-2020 08:32 AM

i believe this is true for vcsa 6.7 but not for esxi 6.7

The host settings under

UserVars.ESXiVPsDisabledProtocols

still shows TLS 1.0/1.1 as enabled

I need to disable these

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎09-30-2020 08:35 AM

This advanced settings you are mentioning, "UserVars.ESXiVPsDisabledProtocols" has the protocols which are disabled.

It is for vSphere which means ESXi and vCenter, the whole suite. However keep reading and follow the next: Enable or Disable TLS Versions on ESXi Hosts.

Read it carefully because the place from where to run the script changes depending on your architecture.

There is no need to disable using Host Profile.

0 Kudos
tdubb123
Expert
Expert
‎09-30-2020 01:10 PM

how do I check if my host is enabled for TLS 1.0/1.1?

I checked under advanced settings

UserVars.ESXiVPsDisabledProtocols and it shows sslv3, tlsv1, tls1.1

do i need to change anything?

0 Kudos
tdubb123
Expert
Expert
‎09-30-2020 01:50 PM

so if I run this

reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2

and reboot my host

how do I verify that only 1.2 is enabled?

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎09-30-2020 10:22 PM

Hey @tdubb123,

That actually means that all the protocols mentioned there are disabled as those values mean disabled protocols under that settings.

So yes, you have TLS1.0 and TLS1.1 disabled. (Same with SSLv3)

0 Kudos