Hello,

kindly find Following :  Disable TLS Versions on ESXi Hosts

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak

FWIW for QID 38604 we got this response from VMware.

The Qualysis Bug ID: 38604 is a false positive, we had filed an internal Bug to track if the the qualysis report was a vulnerability, and the result shared is below.

"The selected cipher "ECDHE-RSA-AES256-SHA384" is from "TLSv1/SSLv3" family, that doesn't mean the server is supporting SSLv3 protocol.
Protocol used is "Protocol : TLSv1.2" and no issues observed here.
It is possible that Qualys are flagging QID 38604 as it picks up on ECDHE-RSA-AES256-SHA384 which belongs to the SSLv3 family (although not in use). This is an assumption, we don't have information as to why Qualys are flagging this."
Conclusion:- vCSA does not use the SSLv3 protocol on port 1514 so this is a false positive.

Howdy,

I know this post is old, but figured I would reply anyways.

Beware - An update to the appliance might revert these changes, I have no idea.

I get this one all the time: QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp

Try this in /etc/applmgmt/appliance/lighttpd.conf:

setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny",
                               "Cache-Control" => "max-age=0, no-store, no-cache, must-revalidate, no-cache=set-cookie",
                               "Pragma" => "nocache",
                               "X-XSS-Protection" => "1; mode=block",
                               "X-Content-Type-Options" => "nosniff",
                               "Strict-Transport-Security" => "31536000; includeSubdomains" )

Then systemctl restart vami-lighttp

I ran into this issue as well: QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL

Qualys doesn't care if only TLS 1.2 is enabled, it's not actually testing a handshake as that would incur too much load on some systems.  I think all it does is scan files for text and issue status commands to services.  The mere presence of a bad cipher in any conf file or command output causes Qualys to whine.  Rsyslog uses gnutls, whose settings are /etc/gnutls/default-priorities:

SYSTEM=NONE:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+AEAD:+SHA384:+SHA256:+SHA1:+COMP-NULL:+VERS-TLS1.2:+SIGN-RSA-SHA224:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-DSA-SHA224:+SIGN-DSA-SHA256:+SIGN-ECDSA-SHA224:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+CTYPE-OPENPGP:+CTYPE-X509:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM

I changed this ^ to this v  (In addition to running /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2)

SYSTEM=NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL

I got a clean scan!

You might also be able to, in /etc/rsyslog.conf, manually load this module like this at the top of your conf:

module( load="imtcp"
        streamdriver.name="gtls"
        streamdriver.mode="1"
        streamdriver.authmode="anon"
        gnutlsprioritystring="NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL"
        )
input(type="imtcp" port="1514")

Then systemctl restart rsyslog

Let me know if this works out for anyone else!