3 Replies Latest reply on Jul 18, 2019 3:38 AM by sk84

    Disable old SSL and TLS versions on VCSA?

    aj800 Novice

      We have to get security approval before opening ports.. and in trying to permit access to the VCSA 6.5 Web Management interface (5480), we were requested to first disable SSLv1 and also Configure 'Tame' Server..which I'm not sure what that is or how to do...?).  What impacts will this have on the VCSA and access to vSphere and vCenter?  We're using TLS 1.2 now in our environments (by requirement I believe) and older versions must be removed or disabled.  How is this done if there is little impact or none?

        • 1. Re: Disable old SSL and TLS versions on VCSA?
          sk84 Expert
          vExpert

          Since vSphere 6.7 only TLSv1.2 is enabled by default. In addition there is a tool for managing the TLS protocols:

          Managing TLS Protocol Configuration with the TLS Configurator Utility

           

          But since you didn't specify your version, other vSphere versions may look different.

           

          And whether changing the SSL/TLS settings will have an impact depends mainly on third-party software. vSphere itself (vCenter and ESXi Hosts) will work fine with higher TLS versions from 6.5 onwards. However, if you are using other software (backup software, monitoring tools or other VMware products in older versions), they may no longer work.

           

          Or if you use the vSphere (Web) client with an older browser that does not support TLS v1.2, you won't be able to connect to the vCenter server.

           

          ---------------------------------------------------------------------------------------------------------

          Was it helpful? Let us know by completing this short survey here.

           

           

          • 2. Re: Disable old SSL and TLS versions on VCSA?
            aj800 Novice

            Thanks.  I mentioned we're running everything at 6.5 (vCenter is U2g, hosts are EP14).  Everything should work (fingers crossed) with just TLS 1.2, and wa able to get the Ultility which I'll run.  But is there any reason why a scan would show SSLv1 still in use (they want us to disable SSLv1 - there was no mention of TLS versions but if SSLv1 pops up in a scan I would assume older SSL and TLS versions might also need t be disabled)?  Do you know what a Tame server is and what is to be configured?

            • 3. Re: Disable old SSL and TLS versions on VCSA?
              sk84 Expert
              vExpert

              Oh, I didn't see that you mentioned the version. Sorry for that.

               

              And I'm pretty sure SSLv1 is not used anymore in vSphere 6.5. You should therefore contact your security team and ask them which service or port uses SSLv1 and ask if this could be a false positive.

               

              And maybe this resource will also help you or your security team: VMware Knowledge Base

               

              Do you know what a Tame server is and what is to be configured?

              No. Here you should also ask your security team what they mean and what you should do.