{"id":7983,"date":"2021-11-15T21:27:34","date_gmt":"2021-11-15T20:27:34","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=7983"},"modified":"2021-11-17T11:37:10","modified_gmt":"2021-11-17T10:37:10","slug":"esxi-change-certificate-cipher-modes","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/esxi-change-certificate-cipher-modes\/","title":{"rendered":"ESXi: Change encryption cipher modes"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_7983 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_7983')){$('.twoclick_social_bookmarks_post_7983').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"ESXi%3A%20Change%20encryption%20cipher%20modes\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Asecurity%20scanners%20may%20rank%20the%20ciphers%20a%20ESXi%20host%20uses%20for%20encryption%20as%20weak.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/esxi-change-certificate-cipher-modes\\\/\",\"post_id\":7983,\"post_title_referrer_track\":\"ESXi%3A+Change+encryption+cipher+modes\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>security scanners may rank the ciphers a ESXi host uses for encryption as weak.<br \/>\n<!--more--> <!-- https:\/\/kb.vmware.com\/s\/article\/79476 --><br \/>\nIt is possible to use a safe(r) set of ciphers.<\/p>\n<p>The certificate for all service is the same, but you have to configure each service of its own.<\/p>\n<p><strong>Webgui https on port 443<\/strong><br \/>\nConnect to the ESXi Hosts and open<br \/>\n<code><br \/>\n\/etc\/vmware\/rhttpproxy\/config.xml<br \/>\n<\/code><br \/>\nlocate the cipherList node, if it not exists, create it<\/p>\n<pre class=\"brush: xml; title: ; notranslate\" title=\"\">\r\n&lt;config&gt;\r\n    &lt;vmacore&gt;\r\n        &lt;ssl&gt;\r\n            &lt;cipherList&gt;&lt;\/cipherList&gt;\r\n        &lt;\/ssl&gt;\r\n     &lt;\/vmacore&gt;\r\n&lt;\/config&gt;\r\n<\/pre>\n<p>then set the cipherlist to<\/p>\n<pre class=\"brush: xml; title: ; notranslate\" title=\"\">\r\n         &lt;cipherList&gt;!aNULL:ECDHE+AESGCM:ECDHE+AES&lt;\/cipherList&gt;\r\n<\/pre>\n<p>restart the rhttpproxy daemon<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # \/etc\/init.d\/rhttpproxy restart\r\n<\/pre>\n<p><strong>CIM daemon on port 5989<\/strong><br \/>\nopen<br \/>\n<code><br \/>\n\/etc\/sfcb\/sfcb.cfg<br \/>\n<\/code><br \/>\nand replace the sslCipherList line with<br \/>\n<code><br \/>\nsslCipherList: ECDHE+AESGCM:ECDHE+AES<br \/>\n<\/code><br \/>\nat the end of the file. Restart the daemon<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # \/etc\/init.d\/vmware-fdm restart\r\n<\/pre>\n<p><strong>Fault Domain Manager (HA Agent) on port 8182<\/strong><br \/>\nopen the file<br \/>\n<code><br \/>\n\/etc\/opt\/vmware\/fdm\/fdm.cfg<br \/>\n<\/code><br \/>\nand add <cipherList>!aNULL:ECDHE+AESGCM:ECDHE+AES<\/cipherList> as a subnode of the ssl node.<\/p>\n<pre class=\"brush: xml; title: ; notranslate\" title=\"\">\r\n&lt;config&gt; \r\n    &lt;vmacore&gt;\r\n        &lt;ssl&gt;\r\n            &lt;cipherList&gt;!aNULL:ECDHE+AESGCM:ECDHE+AES&lt;\/cipherList&gt;\r\n        &lt;\/ssl&gt;\r\n    &lt;\/vmware&gt;\r\n&lt;\/config&gt;\r\n<\/pre>\n<p>Restart the fdm daemon<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # \/etc\/init.d\/vmware-fdm restart\r\n<\/pre>\n<p><strong>And at least the I\/O Filter daemon iofilterVP on port 9080<\/strong><br \/>\nFirst, stop the daemon<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # \/etc\/init.d\/iofiltervpd stop\r\n<\/pre>\n<p>Then modify the <strong>\/UserVars\/ESXiVPsAllowedCiphers<\/strong> option by esxcli<br \/>\nShow current value<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # esxcli system settings advanced list -o \/UserVars\/ESXiVPsAllowedCiphers\r\n<\/pre>\n<p>and set the new modes<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # esxcli system settings advanced set -o \/UserVars\/ESXiVPsAllowedCiphers -s !aNULL:ECDHE+AESGCM:ECDHE+AES\r\n<\/pre>\n<p>Start the daemon<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~ # \/etc\/init.d\/iofiltervpd start\r\n<\/pre>\n<p>Check the state of the IO Filter Provider for this host in the vCenter&#8217;s Storage Providers list. If it is not &#8220;active&#8221; you have to reregister the hosts IO Filter Provider.<br \/>\n<figure id=\"attachment_7990\" aria-describedby=\"caption-attachment-7990\" style=\"width: 746px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2021\/11\/vCenter-ReregisterIOStorageProvider.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2021\/11\/vCenter-ReregisterIOStorageProvider.png\" alt=\"vCenter Reregister IOStorageProvider\" width=\"746\" height=\"142\" class=\"size-full wp-image-7990\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2021\/11\/vCenter-ReregisterIOStorageProvider.png 746w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2021\/11\/vCenter-ReregisterIOStorageProvider-300x57.png 300w\" sizes=\"auto, (max-width: 746px) 100vw, 746px\" \/><\/a><figcaption id=\"caption-attachment-7990\" class=\"wp-caption-text\">vCenter Reregister IOStorageProvider<\/figcaption><\/figure><\/p>\n<p>Addional hints:<br \/>\nCheck cipher suite syntax and list allowed ciphers<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nopenssl ciphers -v '!aNULL:ECDHE+AESGCM:ECDHE+AES'\r\n<\/pre>\n<p>Michael<\/p>\n<p>See also<br \/>\n<a href=\"https:\/\/core.vmware.com\/resource\/vmware-vsphere-70-default-ssltls-cipher-suites#section4\" rel=\"noopener\" target=\"_blank\">VMware vSphere 7.0 Default SSL\/TLS Cipher Suites<\/a><br \/>\n<a href=\"https:\/\/kb.vmware.com\/s\/article\/1018510\" rel=\"noopener\" target=\"_blank\">Ciphers supported on ESX\/ESXi and vCenter Server<\/a><br \/>\n<a href=\"http:\/\/manpages.ubuntu.com\/manpages\/impish\/man1\/ciphers.1ssl.html\" rel=\"noopener\" target=\"_blank\">Ciphers list<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, security scanners may rank the ciphers a ESXi host uses for encryption as weak.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[122,1673,1488,1674,457,1671,1667,1668,1670,1669,1672,14],"class_list":["post-7983","post","type-post","status-publish","format-standard","hentry","category-vmware","tag-change","tag-cim-daemon","tag-cipher","tag-encryption","tag-esxi","tag-fdm-daemon","tag-port-443","tag-port-5989","tag-port-8192","tag-port-9080","tag-rhttpproxy-daemon","tag-vmware-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=7983"}],"version-history":[{"count":19,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7983\/revisions"}],"predecessor-version":[{"id":8004,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/7983\/revisions\/8004"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=7983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=7983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=7983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}