VMware Cloud Community
aj800
Enthusiast
Enthusiast
‎07-17-2019 10:44 AM
Jump to solution

Disable old SSL and TLS versions on VCSA?

We have to get security approval before opening ports.. and in trying to permit access to the VCSA 6.5 Web Management interface (5480), we were requested to first disable SSLv1 and also Configure 'Tame' Server..which I'm not sure what that is or how to do...?).  What impacts will this have on the VCSA and access to vSphere and vCenter?  We're using TLS 1.2 now in our environments (by requirement I believe) and older versions must be removed or disabled.  How is this done if there is little impact or none?

Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
sk84
Expert
Expert
‎07-17-2019 11:12 AM
Jump to solution

Since vSphere 6.7 only TLSv1.2 is enabled by default. In addition there is a tool for managing the TLS protocols:

Managing TLS Protocol Configuration with the TLS Configurator Utility

But since you didn't specify your version, other vSphere versions may look different.

And whether changing the SSL/TLS settings will have an impact depends mainly on third-party software. vSphere itself (vCenter and ESXi Hosts) will work fine with higher TLS versions from 6.5 onwards. However, if you are using other software (backup software, monitoring tools or other VMware products in older versions), they may no longer work.

Or if you use the vSphere (Web) client with an older browser that does not support TLS v1.2, you won't be able to connect to the vCenter server.

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

View solution in original post

Reply
0 Kudos
3 Replies
sk84
Expert
Expert
‎07-17-2019 11:12 AM
Jump to solution

Since vSphere 6.7 only TLSv1.2 is enabled by default. In addition there is a tool for managing the TLS protocols:

Managing TLS Protocol Configuration with the TLS Configurator Utility

But since you didn't specify your version, other vSphere versions may look different.

And whether changing the SSL/TLS settings will have an impact depends mainly on third-party software. vSphere itself (vCenter and ESXi Hosts) will work fine with higher TLS versions from 6.5 onwards. However, if you are using other software (backup software, monitoring tools or other VMware products in older versions), they may no longer work.

Or if you use the vSphere (Web) client with an older browser that does not support TLS v1.2, you won't be able to connect to the vCenter server.

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
aj800
Enthusiast
Enthusiast
‎07-17-2019 02:17 PM
Jump to solution

Thanks.  I mentioned we're running everything at 6.5 (vCenter is U2g, hosts are EP14).  Everything should work (fingers crossed) with just TLS 1.2, and wa able to get the Ultility which I'll run.  But is there any reason why a scan would show SSLv1 still in use (they want us to disable SSLv1 - there was no mention of TLS versions but if SSLv1 pops up in a scan I would assume older SSL and TLS versions might also need t be disabled)?  Do you know what a Tame server is and what is to be configured?

Reply
0 Kudos
sk84
Expert
Expert
‎07-18-2019 03:38 AM
Jump to solution

Oh, I didn't see that you mentioned the version. Sorry for that.

And I'm pretty sure SSLv1 is not used anymore in vSphere 6.5. You should therefore contact your security team and ask them which service or port uses SSLv1 and ask if this could be a false positive.

And maybe this resource will also help you or your security team: VMware Knowledge Base

Do you know what a Tame server is and what is to be configured?

No. Here you should also ask your security team what they mean and what you should do.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos