Disable TLS 1.2 for ESXi version 6.7

ecollins1206 · ‎10-14-2021

I am new to ESXi administration and I need to disable TLS v1.2 and the following ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

I have already tried editing the UserVars.ESXiVPsAllowedCiphers to !aNULL:kECDH+AESGCM:ECDH+AESGCM:kECDH+AES:ECDH

But the security scans are still saying the above ciphers are allowed

doskiran · ‎10-18-2021

Use TLS Configurator utility to enable or disable TLS Versions on ESXi Hosts.

Starting with vSphere 6.7, the TLS Configurator utility is included in the product. You no longer download it separately.

Ref - https://kb.vmware.com/s/article/2147469
Ref- https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-BDCE47DD-8AD2-4C9...

*Note:
Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

- To disable TLS 1.2, and enable only TLS 1.1 on an individual host, run the following command.

[ /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <vCenter_Administrative_User> -p TLSv1.1

or (on an standalone ESXi host)

[ /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.1

- Once completed, the hosts will be flagged for reboot , reboot the ESXi host to complete the TLS protocol changes.