Hi,
I need to disable TLSv1.0 for PCI on an ESXi server running 6.5. I can do this on my 6.0 servers easily enough using the following commands
esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "tlsv1"
esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s "tlsv1"
esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "tlsv1"
When it comes to 6.5 I believe these do not work and from what I can gather you need to use a tool whilst running vCenter. I do not have vCenter running and therefore need to look at a possible solution outside of this.
Can anyone confirm if there is a method to disable this?
Regards
Chris
I managed to do this with these two steps ...
1. Set ESXiVPsDisabledProtocols:
esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"
2. On the command line, edit /etc/vmware/rhttpproxy/config.xml
Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:
<vmacore>
...
<ssl>
<doVersionCheck> true </doVersionCheck>
<!-- allowed SSL/TLS protocol versions -->
<protocols>tls1.1,tls1.2</protocols>
<libraryPath>/lib/</libraryPath>
</ssl>
Restart the proxy:
/etc/init.d/rhttpproxy restart
have you tried those commands on ESXi 6.5 and have they failed..?
how do you know it does not work
Have you read this? -> VMware Knowledge Base.
Out of curiosity, I tried running your commands on a test host and it's only the first one that works. If you compare esx.conf before and after, there are indeed new settings added to it.
After rebooting the host, I logged in using the ESXi host client. I don't know if this is a valid test, or if it's even relevant, but it's still using TLS 1.2 to connect. This is the same protocol used when connecting to another 6.5 host.
The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).
Also, have a look at this: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6.5-security-configur...
Row 9 is what you want.
I managed to do this with these two steps ...
1. Set ESXiVPsDisabledProtocols:
esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1"
2. On the command line, edit /etc/vmware/rhttpproxy/config.xml
Find the vmacore section, then find the ssl section inside it and set the versions of tls you want to enable:
<vmacore>
...
<ssl>
<doVersionCheck> true </doVersionCheck>
<!-- allowed SSL/TLS protocol versions -->
<protocols>tls1.1,tls1.2</protocols>
<libraryPath>/lib/</libraryPath>
</ssl>
Restart the proxy:
/etc/init.d/rhttpproxy restart
Thank you prylance this option worked for me.
I have also used the commands supplied by prylance with success. To test the result I used openssl.
To test TLS 1.0, I ran:
openssl s_client -connect <host IP>:443 -tls1