Enable only TLSv1.2

idan_a · ‎02-07-2021

Hey All,

I have to disable TLSv1.0 and v1.1 and enable v1.2

Today I tried to do that with VMware guide but

I have problem, i have cluster with:

1 ESXi 6.5 and 2 ESXi 6.0

the tls utility of VMware divided to version 6.0 and 6.5

so when I try to use this utility (version 6.5) I got error that some ESXi are 6.0 and it's not possible to to that,

when I uninstall the utility version 6.5 and install 6.0 I got error about ESXi 6.5

when I try to configure has a standalone or just one host I got error that ESXi is member of cluster

and I need to run the command as a cluster.

When can i do to fix that and success run this command.

Thanks!

scott28tt · ‎02-07-2021

@idan_a

Some of the links and replies on this thread might help: https://communities.vmware.com/t5/ESXi-Discussions/I-am-trying-to-Disable-TLS-1-0-and-1-1-on-a-6-5-E...

(thread found using search)

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

idan_a · ‎02-07-2021

No It's not help.

I know all thing that wrote there.

I run script via Vcenter.

But again my problem is that in my cluster i have ESXi 6.0 and 6.5

and the script has 2 version for 6.0 and 6.5

I got error that I have Esxi 6.0 when I run script 6.5

and error that i have ESXi 6.5 when I run script 6.0

Lalegre · ‎02-08-2021

Hey @idan_a,

Take into account that 6.0 U3 is the version from where TLS can be disabled if your build is lower than that then the change is not supported. Also remember that 6.0 is EOL so I recommend you to update to the next supported version which is at least 6.5.

However I just found the next article that there is a solution for mixed version by using the latest utility version that I think comes with the release of vSphere 6.7. Take a look at the next: https://virtuallyvtrue.com/2019/05/08/disabling-tlsv1-0-and-enabling-tlsv1-1-and-or-tlsv1-2-in-mixed...

idan_a · ‎02-09-2021

Hey,

I did like in this article:

https://virtuallyvtrue.com/2019/05/08/disabling-tlsv1-0-and-enabling-tlsv1-1-and-or-tlsv1-2-in-mixed...

but i still got this error:

what I am missing?

Ajay1988 · ‎02-09-2021

Mixed version ESXi support for TLS is only added from 6.7 U3g(vCenter) onwards. In you case use the command for standalone ESXi.

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-BDCE47DD-8AD2-4C9...

vCenter 6.7 U3g release notes for your reference below.
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3g-release-notes.html
The TLS reconfiguration utility cannot be configured on mixed version cluster host
vCenter Server 6.7 Update 3g adds an enhancement to the TLS reconfiguration utility that allows you to configure TLS protocol settings on ESXi hosts from the 6.5 and 6.0 lines. You can also manage the TLS protocol configuration of a mixed cluster of ESXi hosts from the 6.7, 6.5 and 6.0 lines by using a single instance of vCenterCluster in the TLS configuration utility.
This issue is resolved in this release.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

idan_a · ‎02-10-2021

What's help me version 6.7???

I wrote that I have 6.5 and 6.0 version.

My vCenter is 6.5, 1 Esxi 6.5 and 2 Esxi 6.0

I tried vCenterCluster, vCenterHost and ESXiHost I got error unsupported version.

I can't use vCenterHost and ESXiHost because my esxi member in cluster.

Ajay1988 · ‎02-10-2021

In short

Upgrade your VC to 6.7 U3g as mixed ESXi in cluster support started from 6.7U3g only

OR

Upgrade the complete cluster ESXi's to 6.5

OR

Remove the hosts from VC Cluster and use reconfigureEsx ESXiHost

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

idan_a · ‎02-10-2021

I will do option 3.

Thanks