VMware Cloud Community
Billett
Contributor
Contributor
‎11-29-2017 01:52 AM
Jump to solution

ESXi 6.5 Disable TLSv1.0

Hi,

I need to disable TLSv1.0 for PCI on an ESXi server running 6.5. I can do this on my 6.0 servers easily enough using the following commands

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "tlsv1"

esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s "tlsv1"

esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "tlsv1"

When it comes to 6.5 I believe these do not work and from what I can gather you need to use a tool whilst running vCenter. I do not have vCenter running and therefore need to look at a possible solution outside of this.

Can anyone confirm if there is a method to disable this?

Regards

Chris

Reply
1 Solution

Accepted Solutions
prylance
Contributor
Contributor
‎12-04-2017 09:19 AM
Jump to solution

I managed to do this with these two steps ...

1. Set  ESXiVPsDisabledProtocols:

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"

2. On the command line, edit /etc/vmware/rhttpproxy/config.xml

Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:

<vmacore>

...

<ssl>                                                                                                     

   <doVersionCheck> true </doVersionCheck>                                   

   <!-- allowed SSL/TLS protocol versions -->

   <protocols>tls1.1,tls1.2</protocols>                               

   <libraryPath>/lib/</libraryPath>

</ssl>

Restart the proxy:

/etc/init.d/rhttpproxy restart

View solution in original post

Reply
6 Replies
hussainbte
Expert
Expert
‎11-29-2017 02:37 AM
Jump to solution

have you tried those commands on ESXi 6.5 and have they failed..?

how do you know it does not work

If you found my answers useful please consider marking them as Correct OR Helpful Regards, Hussain https://virtualcubes.wordpress.com/
Reply
0 Kudos
jfene72
Enthusiast
Enthusiast
‎11-29-2017 03:34 AM
Jump to solution

Have you read this? -> VMware Knowledge Base.

Out of curiosity, I tried running your commands on a test host and it's only the first one that works. If you compare esx.conf before and after, there are indeed new settings added to it.

pastedImage_1.png

After rebooting the host, I logged in using the ESXi host client. I don't know if this is a valid test, or if it's even relevant, but it's still using TLS 1.2 to connect. This is the same protocol used when connecting to another 6.5 host.

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).

Reply
jfene72
Enthusiast
Enthusiast
‎11-29-2017 04:47 AM
Jump to solution

Also, have a look at this: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6.5-security-configur...

Row 9 is what you want.

Reply
0 Kudos
prylance
Contributor
Contributor
‎12-04-2017 09:19 AM
Jump to solution

I managed to do this with these two steps ...

1. Set  ESXiVPsDisabledProtocols:

esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"

2. On the command line, edit /etc/vmware/rhttpproxy/config.xml

Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:

<vmacore>

...

<ssl>                                                                                                     

   <doVersionCheck> true </doVersionCheck>                                   

   <!-- allowed SSL/TLS protocol versions -->

   <protocols>tls1.1,tls1.2</protocols>                               

   <libraryPath>/lib/</libraryPath>

</ssl>

Restart the proxy:

/etc/init.d/rhttpproxy restart

Reply
Billett
Contributor
Contributor
‎12-04-2017 09:22 AM
Jump to solution

Thank you prylance this option worked for me.

Reply
0 Kudos
jpin1
Contributor
Contributor
‎03-19-2020 11:58 AM
Jump to solution

I have also used the commands supplied by prylance​ with success.  To test the result I used openssl.

To test TLS 1.0, I ran:

openssl s_client -connect <host IP>:443 -tls1

Reply
0 Kudos