ESXi: Change encryption cipher modes


security scanners may rank the ciphers a ESXi host uses for encryption as weak.

It is possible to use a safe(r) set of ciphers.

The certificate for all service is the same, but you have to configure each service of its own.

Webgui https on port 443
Connect to the ESXi Hosts and open


locate the cipherList node, if it not exists, create it


then set the cipherlist to


restart the rhttpproxy daemon

~ # /etc/init.d/rhttpproxy restart

CIM daemon on port 5989


and replace the sslCipherList line with


at the end of the file. Restart the daemon

~ # /etc/init.d/vmware-fdm restart

Fault Domain Manager (HA Agent) on port 8182
open the file


and add !aNULL:ECDHE+AESGCM:ECDHE+AES as a subnode of the ssl node.


Restart the fdm daemon

~ # /etc/init.d/vmware-fdm restart

And at least the I/O Filter daemon iofilterVP on port 9080
First, stop the daemon

~ # /etc/init.d/iofiltervpd stop

Then modify the /UserVars/ESXiVPsAllowedCiphers option by esxcli
Show current value

~ # esxcli system settings advanced list -o /UserVars/ESXiVPsAllowedCiphers

and set the new modes

~ # esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s !aNULL:ECDHE+AESGCM:ECDHE+AES

Start the daemon

~ # /etc/init.d/iofiltervpd start

Check the state of the IO Filter Provider for this host in the vCenter’s Storage Providers list. If it is not “active” you have to reregister the hosts IO Filter Provider.

vCenter Reregister IOStorageProvider
vCenter Reregister IOStorageProvider

Addional hints:
Check cipher suite syntax and list allowed ciphers

openssl ciphers -v '!aNULL:ECDHE+AESGCM:ECDHE+AES'


See also
VMware vSphere 7.0 Default SSL/TLS Cipher Suites
Ciphers supported on ESX/ESXi and vCenter Server
Ciphers list

Advertisment to support

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.