For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.
As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.
The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.
While investigating this inquiry, I found that you can easily inspect the list of supported TLS cipher suites on a given HTTPS endpoint using the nmap utility
Pictured above are the default TLS cipher suites returned for an ESXi 8.0 Update 1 (Build 21495797) which was also confirmed by Engineering, the the default TLS 1.2 cipher suites are ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES. In addition, you can also find the default TLS ciphers for both vSphere 7.x HERE and vSphere 8.x HERE.
Note: The default TLS 1.2 cipher suites for vCenter Server is ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES and can be modified by editing the /etc/vmware-rhttpproxy/config.xml following the previous syntax as outlined in the VMware KB 79476.
Disclaimer: If you are going to modify the default TLS cipher suite, make sure to do proper testing and that all tools and solutions can continue to communicate with the ESXi host, as some clients may not support the configured TLS cipher suites.
To configure a specific set of TLS cipher suites, the following instructions can be used:
Step 1 - SSH to ESXi host and run the following command with the desired TLS cipher suites:
cat >> cipher.json <<EOF
{
"vmacore": {
"ssl": {
"cipher_list": "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-AES256-GCM-SHA384]"
}
}
}
EOF
Step 2 - Run the following command and provide the cipher.json file to update the TLS cipher_list property:
configstorecli config current set -c esx -g services -k rhttpproxy -infile cipher.json
Step 3 (Optional) - If the command was successful, we can also check the settings by running the following command:
configstorecli config current get -c esx -g services -k rhttpproxy
Note: The output is blank out of the box for ESXi as it is simply using the default TLS cipher suites that has been setup by Envoy.
Step 4 - Restart the ESXi Reverse Proxy service for the change to go into effect:
/etc/init.d/rhttpproxy restart
Step 5 - We can also monitor for any errors such as specifying an invalid TLS cipher suite or typo by tailing the ESXi reverse proxy logs using the following:
tail -f /var/log/rhttpproxy.log
If an invalid TLS cipher suite is used, you will see the following error message:
Rhttpproxy[149871]: --> edge_https_v4: Failed to initialize cipher suites [ECDHE-RSA-WILLIAM-LAM-CIPHER-1024]. The following ciphers were rejected when tried individually: ECDHE-RSA-WILLIAM-LAM-CIPHER-1024
If we now re-run the nmap utility against our ESXi host, we should now see that only the configured TLS cipher suites are supported.
I have already left a note on the existing VMware KB 79476 to see if we can get this additional information updated for those running ESXi 8.0 Update 1 or later.
Thanks for the comment!