OPERATIONAL DEFECT DATABASE
...
...
A security scan reports "static TLS ciphers" or "non-ephemeral TLS ciphers" as an area of concern.This includes ciphers such as TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_128_GCM_SHA256.
This issue occurs as the TLS protocol uses an RSA key within the TLS handshake to affirm identity, and with a "static TLS cipher" the same RSA key is used to encrypt a premaster secret used for further encrypted communication. If the RSA private key were compromised, all previous communication could be decrypted. Newer TLS ciphers use Diffie-Hellman with ephemeral keys (DHE, ECDHE) to negotiate a one-time key so that previous communication cannot be decrypted in the event of key compromise. vSphere products have supported ephemeral key exchange since at least version 6.0.
To resolve this issue, disable weak cipher algorithms.Note: VMware presently does not consider static TLS ciphers as insecure, in alignment with current industry standards. Additionally, many older (legacy) software products in the enterprise Datacenter (For example, Java7) lack support for ephemeral key exchange and interoperability with such products would break if static TLS ciphers were to be disabled. As such, VMware does not recommend disabling static TLS ciphers.However, VMware will support users who wish to configure a different set of TLS ciphers to comply with their own security policies. For port 443 (HTTPS) on ESXi Connect to the ESXi host through SSH.Take a backup of /etc/vmware/rhttpproxy/config.xml file.Open the /etc/vmware/rhttpproxy/config.xml file in a text editor.Find a line containing <cipherList>. If it doesn't exit, the user can create it within the XML structure: <config> <vmacore> <ssl> <cipherList>...</cipherList> </ssl> </vmacore> </config> Replace with this line: <cipherList>!aNULL:ECDHE+AESGCM:ECDHE+AES</cipherList> For changes to take effect, restart the rhttpproxy service using this command: /etc/init.d/rhttpproxy restart For port 5989 (CIM) on ESXi Connect to the ESXi host through SSH.Navigate to /etc/sfcb folder.Take a backup of the sfcb.cfg file.Open the sfcb.cfg file in a text editor.Add the below line: sslCipherList: ECDHE+AESGCM:ECDHE+AES Restart the CIM service by running this command: /etc/init.d/sfcbd-watchdog restart Note: for 7.0U2 and later it is not possible to manually edit the /etc/sfcb.cfg as outlined in vSphere ESXi 7.0 U2 and later versions configuration files for sfcb "wbem" and snmp can no longer be editedThis can now be modified by running the following command and specifying the required cipher strings to be used E.g: esxcli system wbem set --ssl-cipher-list=!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:ECDHE+AESGCM:ECDHE+AES For port 8182 (FDM) on ESXi Connect to the ESXi host using SSH (Putty).Take a backup of /etc/opt/vmware/fdm/fdm.cfg file. Open the /etc/opt/vmware/fdm/fdm.cfg file in a text editor.Find a line containing <ssl>Add the following line between the <ssl> and </ssl> tags: <cipherList>!aNULL:ECDHE+AESGCM:ECDHE+AES</cipherList>For changes to take effect, restart the vmware-fdm service using this command: /etc/init.d/vmware-fdm restart For port 9080 (iofilterVP) on ESXi Connect to ESXi with SSH.Stop iofiltervpd with this command: /etc/init.d/iofiltervpd stop Modify advanced option /UserVars/ESXiVPsAllowedCiphers with this command: esxcli system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s !aNULL:ECDHE+AESGCM:ECDHE+AES Start iofiltervpd with command: /etc/init.d/iofiltervpd start Once this is completed, you may need to go to the vSphere Client under Storage Providers, and perform a re-registration of the IOFilterVP. Notes: If you want to also disable CBC ciphers and only use GCM ciphers, instead of !aNULL:ECDHE+AESGCM:ECDHE+AES, use !aNULL:ECDHE+AESGCM. VMware has not tested this specific configuration, and it is recommended to have a backup/restore option available.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
