WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI

Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI

05.09.2017 by William Lam // 32 Comments

A couple of weeks back, I had received a question from one of our TAMs in regards to automating the disablement of specific TLS/SSL protocols for their ESXi 6.0 Update 3 hosts. As of vSphere 6.0 Update 3 and vSphere 6.5, customers now have the ability to completely disable TLS 1.0, TLS 1.1 and SSLv3 using the new TLS Reconfiguration Tool. Mike Foley did a nice write up here if you are interested in more details.

The TLS Reconfiguration Tool works well if you have the same version of vSphere for both your vCenter Server and ESXi host, but has challenges when you are in a mixed environment like this particular customer. In their environment, they are running vCenter Server 6.5 and ESXi 6.5 Update 3 which prevented them from using the TLS Reconfiguration Tool as this is a limitation with the tool today.

UPDATE (05/11/17) - Added support for ESXi 6.5 hosts as well

Given the TLS Reconfiguration Tool was written in Python, I was able to take a closer look at its implementation and I found that the settings that controlled the disabled protocols were just merely a few ESXi Advanced Settings which meant that this could be automated using standard vSphere Automation Tools that our customers were already familiar with. As part of this exercise, I also discovered the tool currently does NOT support disabling TLS/SSLv3 protocols for the Small Footprint CIM Broker (SFCB) service which is also required if you want to be in full compliance for a particular TLS protocol. Although there is not a direct SFCB API that allows you to manage the sfcb.cfg configuration file, there is still a way we can automate this without requiring SSH to the ESXi host which would technically be the alternative. Lastly, I was a bit surprised to see the TLS Reconfiguration Tool did not have a "query" option for listing the current disabled protocols for all ESXi hosts, but they do have it for vCenter Server itself.

To help this particular customer and others who may have specific TLS compliance requirements, I have created the following PowerCLI script called ESXiDisableProtocolConfiguration.ps1 which includes the following two functions:

  • Get-ESXiDPC - Retrieve the current disabled protocols for all ESXi hosts within a vSphere Cluster
  • Set-ESXiDPC - Configure the specific disabled protocols for all ESXi hosts within a vSphere Cluster

This script only work against ESXi hosts running 6.0 Update 3 or 6.5 and there is code to verify before it performs either the Get or Set operation. If you plan on making changes to the disabled protocols, please treat this like any other change by migrating all VMs off your ESXi host prior to the change. You will also be required to reboot the host for the changes to go into effect.

Here is an example of running the Get-ESXiDPC function on a vSphere Cluster consisting of ESXi 6.0 Update 3 hosts:

Get-ESXiDPC -Cluster VSAN-Cluster


The output above is for a stock installation of ESXi 6.0 Update 3 which by default, has SSLv3 disabled for all services. For hostd, authd & ioFilterVSANVP services, TLS 1.0, TLS 1.1 & TLS 1.2 are enabled by default. For sfcbd service, only TLS 1.2 is enabled by default.

Lets say now, we want to only enable TLS 1.2 (e.g. disable TLS 1.0, 1.1 & SSLv3) for all services, we can use the Set-ESXiDPC function by running the following command:

Set-ESXiDPC -Cluster VSAN-Cluster -TLS1 $true -TLS1_1 $true -TLS1_2 $false -SSLV3 $true


Note: This function configures the "disabled" protocols, so if you want a given protocol to be enabled, you will need to pass in a value of $false

If we now re-run our Get operation, we can see that we have now completely disable TLS 1.0, 1.1 & SSLv3 and we have only allowed TLS 1.2 to be enabled by default.


For the changes to go into affect, make sure to reboot your ESXi host.

I would like to give a big thanks to Blair Fritz for helping me out with the initial testing of the script. We have also shared all this feedback with the folks who works on TLS Reconfiguration Tool and hopefully we will see these other features implemented in a future update.

More from my site

  • Configuring TLS Cipher Suites in ESXi 8.0 Update 1
  • Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 
  • ESXi Advanced & Kernel Settings Reference
  • Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?
  • Automatically retrieve CVE CVSS score for all ESXi security bulletins 

Categories // Automation, ESXi, Security, vSphere 6.0 Tags // ESXi 6.0, TLS, TLS 1.0, TLS 1.1, TLS 1.2, vSphere 6.0 Update 3

Comments

  1. *protectedKuver says

    05/09/2017 at 7:56 am

    Superb, Its save my time. Thanks for sharing

    Reply
  2. *protectedKuver says

    05/09/2017 at 8:02 am

    Want to inform and confirm that to disable TLS has recommended sequence i.e. vCenter, ESXi & PSC. So if disable TLS 1.0 only for ESXi that can could cause some issue?

    Reply
    • William Lam says

      05/09/2017 at 8:14 am

      You'll want to follow the recommended sequences as outlined by the VMware KB articles.

      Reply
      • *protectedKuver says

        05/09/2017 at 8:25 am

        Thank you for your reply and I'll keep you updated

        Reply
  3. *protectedDaniel says

    05/16/2017 at 4:11 am

    Hi Wiliam,

    Can You provide some additional guidance for less experience power shell user - how to use/run script in different environment ?

    Thanks in advance 🙂

    Reply
  4. *protectedRyan Lawrence says

    06/21/2017 at 10:05 pm

    I noticed on hosts that I have upgraded from esxi 6.0 u2 to 6.5d the command does not work correctly.
    It did set the options correctly in uservars.esxirhttpproxy like it should have and I rebooted but TLS1 and TLSv1.1 were open

    I verified using openssl s_client -connect localhost:443 -tls1 and openssl s_client -connect localhost:443 -tls1_1

    In order to fix this I had to edit /etc/VMware/rhttpproxy/config.xml and change the ssloptions to 386023424
    then do /etc/init.d/rhttpproxy restart

    after testing again TLSv1 and TLSv1.1 were closed

    Reply
    • *protectedsumeeth mohan says

      12/13/2017 at 2:57 am

      whats the value 386023424?, and this is only found in XML when we upgrade esxi from 6.0 to 6.5 and if its a fresh install. we dont see this!
      its confusing!!

      Reply
    • *protectedJeff says

      03/26/2018 at 8:15 am

      Thanks Ryan! Had that issue and your fix resolved the issue.

      Reply
  5. *protectedUser says

    07/10/2017 at 12:28 am

    Is it possible to disable SSLv3 on esxi6.0 U2.

    Reply
  6. *protectedMartin says

    08/01/2017 at 11:24 pm

    Hi William,

    you mentioned, the tool does not dsupport isable TLS/SSLv3 for the sfcb. So, that what I can confirm, after running a scan against current 6.5 host. The report complains about the following :

    10.x.x.x:5989 Negotiated with the following insecure cipher suites: TLS 1.0 ciphers:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    Two questions :

    - do you know if the tool will support disabling TLS/SSLv3 at some date ?

    - running you script against the affected host says, it IS disabled ?!

    Disabled Protocols on all ESXi hosts:
    vmhost : hostname.domain
    version : 6.5 Update 1
    hostd : sslv3,tlsv1,tlsv1.1
    authd : tlsv1,tlsv1.1,sslv3
    sfcbd : tlsv1,tlsv1.1,sslv3
    ioFilterVSANVP : sslv3,tlsv1,tlsv1.1

    Greetings
    Martin

    Reply
  7. *protectedRich Dowling says

    11/20/2017 at 6:36 am

    Hi William

    I think a couple of lines may be wrong in the script - lines 207 and 208:
    if($TLS1_1) { $tlsString += "tlsv1_1" }
    if($TLS1_2) { $tlsString += "tlsv1_2" }

    It seems to only disable the protocols if they are set to tlsv1.1 and tlsv1.2 not, tlsv1_1 and tlsv1_2

    R.

    Reply
  8. *protectedKuver says

    11/26/2017 at 2:17 am

    Thanks and appreciate for correction after change tlsv1_1 to tlsv1.1 its work perfectly.

    Reply
  9. *protectedRich Dowling says

    11/29/2017 at 12:57 am

    Hi William, I've found another issue - the sfcb config appears to do the complete opposite to what you specify, as the config file specifies which protocols to enable instead of the ones to disable (ie it works the other way around from the advanced settings)

    Reply
  10. *protectedRich Dowling says

    11/29/2017 at 12:58 am

    Oh, and I've submitted a pull request with the amendments https://github.com/lamw/vghetto-scripts/pull/44/files

    Reply
    • William Lam says

      11/29/2017 at 5:30 am

      Rich,

      Thanks for the feedback and sharing the fix. I was told that the configuration file worked the same as the ESXi Advanced Setting, but it sounds like its the opposite as both you and Kuver verified. I've gone ahead and accepted the pull request

      Reply
  11. *protectedGopi says

    02/01/2018 at 12:44 pm

    William, Thanks for the script. But this doesn't cover the HA/FDM port 8182. Any suggestions?

    Reply
    • *protectedRich Dowling says

      03/01/2018 at 2:38 am

      Gopi, to fix port 8182 you need to create a Cluster Advanced Setting "das.config.vmacore.ssl.protocols" with value "tls1.2", and then run a "Reconfigure for HA" on each host

      Reply
  12. *protectedJodi Wood says

    04/15/2018 at 8:18 pm

    I tried the recommended "to fix port 8182 you need to create a Cluster Advanced Setting “das.config.vmacore.ssl.protocols” with value “tls1.2”, and then run a “Reconfigure for HA” on each host" and this did not work for me.

    I had to do the following in order to get port 8182 to use only TLS 1.2:
    create a Cluster Advanced Setting “das.config.vmacore.ssl.sslOptions” with value “386023424”, and then run a “Reconfigure for HA” on each host" and in some cases I had to reboot the host.

    Reply
  13. *protectedJohn Daily says

    05/16/2018 at 7:36 am

    FYI - With the release of 6.5 Update 2, the new TLS Reconfiguration Tool (7766806) now supports mixed 6.0 & 6.5 hosts in the vCenter, but not in the same cluster. It also now controls TLS for sfcb as well.

    Great Script, but when I was running your script to see the result after using the new version of the tool, I noticed that part of your logic was wrong for the sfcbd reporting and updating. From KB 2151279 (https://kb.vmware.com/kb/2151279), for sfcbd it says:
    If no entries are present these are the defaults built into 6.0U3 and 6.5.x.
    enableSSLv3: false
    enableTLSv1: true
    enableTLSv1_1: true
    enableTLSv1_2: true

    But your script reports the default for sfcbd as being disabled for sslv3, v1 & v1.1, instead of just sslv3.

    To fix the report function, you need to change the current line 76 to ($sfcbResults = "sslv3"), remove the current line 79 ($sfcbResults+="sslv3") and then add in this in at current line 74:
    if($line -match "enableSSLv3:") {
    ($key,$value) = $line.Split(":")
    if($value -match "false") {
    $sfcbResults+="sslv3"
    }
    $usingDefault = $false
    }

    To fix the update function, you will need to add this ($line -notmatch "enableSSLv3:" -and ) into the if statement on current line 169 and insert this line ($sfcbResults+="enableSSLv3: " + (!$SSLV3).ToString().ToLower() + "`n") at current line 175.

    P.S. It appears that the comments likes to change any "quotes" to "smart quotes", so if cutting/pasting from comments, you will have to "fix" them before they will work.

    Reply
  14. *protectedScott Elliott says

    05/17/2018 at 11:16 am

    Is there a method to disable 1.0 during a kickstart build?

    Reply
  15. *protectedmattisek says

    05/25/2018 at 4:55 am

    Thanks. Script is great and working fine for newly installed hosts. But what is not working is using it on upgraded hosts from earlier versions of ESXi (like 5.5 or 6.0) to 6.5. After upgrade via VUM and running the script everything is looking fine. Get-ESXiDPC is reporting that TLS1.0, TLS 1.1 and SSL3 are disabled. However when validating it via openSSL connection using TLS 1.0 or 1.1 is still open.

    Reply
  16. *protectedIvanZito says

    08/29/2018 at 4:04 am

    I could use on vCenter Server:

    C:\Program Files\VMware\vCenter Server\TlsReconfigurator\VcTlsReconfigurator>reconfigureVc update -p TLSv1.0 TLSv1.1 TLSv1.2

    Best Regards

    Reply
  17. *protectedKevin Brüsch says

    10/18/2018 at 12:02 am

    Thanks. But your Script put everything as a one-liner in the sfcb.cfg. As Result you cannot run your script twice. Furthermore if the file content is a one-liner it isn't supported with our hostprofiles. I added "'n" in the script to have every setting in an own line.

    Reply
  18. *protectedMike says

    02/19/2019 at 12:26 pm

    Hello,

    What need to be change on ESXi 6.5 host for TLS1.2 to be enabled only? Can you please help me here.

    Reply
  19. *protectedPaul says

    02/28/2019 at 10:23 am

    William, Does this work for 6.7? If not can it be updated? It seems to not be working for me.

    Thanks

    Reply
  20. *protectedWilliam Dossett says

    06/06/2019 at 11:14 am

    Thanks William, once again found the best solution in the ghetto. Security team is finally off my back!

    Reply
  21. *protectedvinoop says

    08/17/2019 at 2:46 am

    Validating ESXi host: "host1.lab.local".
    Reconfiguring ESXi host: "host1.lab.local".
    Updating ESXi host "host1.lab.local" adavanced option "UserVars.ESXiVPsDisabledProtocols" from "sslv3" to "sslv3,tlsv1,tlsv1.1"
    Removing the tag (if exists) from the reverse HTTP proxy configuration file on ESXi host: "host1.lab.local".
    ESXi host "host1.lab.local" reconfigured successfully. The ESXi host has to be restarted for the new TLS configuration to take effect!

    I can see its removing ssloption tag from rhttpproxy conf file - (my esxi host has upgraded from esxi 5.5 u3g to esxi 6.5 u2f,I have notced if esxi 6.5 is fresh installation this option is not appearing)

    I think Above script is not addressing this step. Can you please include it and help me on this. I have to push more than 2000 hosts with this conf.

    Reply
  22. *protectedbrisketx says

    04/24/2020 at 11:57 am

    Anyone have a way to run on hosts not in a cluster?

    Reply
  23. *protectedFelipe says

    05/04/2020 at 1:40 pm

    Like others have asked. Does this work on 6.7? Can we make it work for 6.7?

    Reply
  24. *protectedFelipe says

    05/06/2020 at 5:53 am

    I just talked to VMware support and they said that on 6.7. TLS 1.0 and 1.1 are disabled by default. So no need to do this on 6.7.

    Reply
  25. *protectedTony says

    09/30/2020 at 6:09 am

    any idea how to run this on auto deploy hosts esxi 6.7?

    Reply
  26. *protectedMehul Raval says

    10/21/2021 at 3:39 pm

    Hi William,
    I am planning to upgrade current vCenter Servers from v6.5u3 to v7.0u2d and Esxi from v6.5u3 to v6.7u3.

    The question I have it's related to TLS v1.2 for vCenter Server v7.0u2d

    I am running CRM Application which supports TLS v1.1 and for that there are 2 prod CRM servers running on current Esxi v6.5u3

    Q. If I am upgrading the environment would this TLS v1.2 will affect to CRM application? is going to break? how about the CRM servers - are they going to stop working?

    I am very confused with this TLS v1.2 and can't figured it out what to do.

    I want to know where would be the impact if I upgrade my environment.

    please help me.

    Thanks
    Mehul

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...