Billett
Contributor
Contributor

ESXi 6.5 Disable TLSv1.0

Jump to solution

Hi,

I need to disable TLSv1.0 for PCI on an ESXi server running 6.5. I can do this on my 6.0 servers easily enough using the following commands

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "tlsv1"

esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s "tlsv1"

esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "tlsv1"

When it comes to 6.5 I believe these do not work and from what I can gather you need to use a tool whilst running vCenter. I do not have vCenter running and therefore need to look at a possible solution outside of this.

Can anyone confirm if there is a method to disable this?

Regards

Chris

1 Solution

Accepted Solutions
prylance
Contributor
Contributor

I managed to do this with these two steps ...

1. Set  ESXiVPsDisabledProtocols:

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"

2. On the command line, edit /etc/vmware/rhttpproxy/config.xml

Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:

<vmacore>

...

<ssl>                                                                                                     

   <doVersionCheck> true </doVersionCheck>                                   

   <!-- allowed SSL/TLS protocol versions -->

   <protocols>tls1.1,tls1.2</protocols>                               

   <libraryPath>/lib/</libraryPath>

</ssl>

Restart the proxy:

/etc/init.d/rhttpproxy restart

View solution in original post

6 Replies
hussainbte
Expert
Expert

have you tried those commands on ESXi 6.5 and have they failed..?

how do you know it does not work

If you found my answers useful please consider marking them as Correct OR Helpful Regards, Hussain https://virtualcubes.wordpress.com/
0 Kudos
jfene72
Enthusiast
Enthusiast

Have you read this? -> VMware Knowledge Base.

Out of curiosity, I tried running your commands on a test host and it's only the first one that works. If you compare esx.conf before and after, there are indeed new settings added to it.

pastedImage_1.png

After rebooting the host, I logged in using the ESXi host client. I don't know if this is a valid test, or if it's even relevant, but it's still using TLS 1.2 to connect. This is the same protocol used when connecting to another 6.5 host.

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).

jfene72
Enthusiast
Enthusiast
0 Kudos
prylance
Contributor
Contributor

I managed to do this with these two steps ...

1. Set  ESXiVPsDisabledProtocols:

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"

2. On the command line, edit /etc/vmware/rhttpproxy/config.xml

Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:

<vmacore>

...

<ssl>                                                                                                     

   <doVersionCheck> true </doVersionCheck>                                   

   <!-- allowed SSL/TLS protocol versions -->

   <protocols>tls1.1,tls1.2</protocols>                               

   <libraryPath>/lib/</libraryPath>

</ssl>

Restart the proxy:

/etc/init.d/rhttpproxy restart

View solution in original post

Billett
Contributor
Contributor

Thank you prylance this option worked for me.

0 Kudos
jpin1
Contributor
Contributor

I have also used the commands supplied by prylance​ with success.  To test the result I used openssl.

To test TLS 1.0, I ran:

openssl s_client -connect <host IP>:443 -tls1

0 Kudos