Update on 2024-08-15:
Good news, with vSphere 8 update 3 the previous content became obsolte and I decided to take it offline and adjust the content here
Update 3 contains some major enhancements which makes the life in this regards much easier:
Starting in 8.0 Update 3, vSphere supports TLS 1.3 and 1.2 through the use of TLS profiles. TLS profiles simplify the job of administering TLS parameters and also improve supportability.
TLS profiles are prepared sets of versions, curves and ciphers that you can select and the dependent services will be configured accordingly.
How cool is that, no more editing of individual configuration files and settings.
vCenter
You can find overview in the documentation but the gist is that you can configure them by API only.
You can browse the Developer Center
right from the vCenter UI, all revelant operations are in the path /api/appliance/tls/
.
Here is how it looks like when you switch from the default of COMPATIBLE
to the NIST_2024
. That’s a pretty good fit for companies who need to get rid of SHA1 for compliance
curl -X GET 'https://xxx/api/appliance/tls/profiles/global'
{
"profile": "NIST_2024"
}
I wrote a small bash-script to do the checks and just report on the supported ciphers. You can find it on my github script-junkyard.
# ./check_vcenter_ciphers.sh
Connecting to 10.0.0.6
Testing on port 443
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 636
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 1514
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 5480
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 5580
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 8084
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
Testing on port 9087
SUCCESS: ECDHE-RSA-AES256-GCM-SHA384
SUCCESS: ECDHE-RSA-AES128-GCM-SHA256
---
ESXi
In ESXi works this works as expected per esxcli
as documented.
Also note this KB article for the fineprint.
Comments