WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Configuring TLS Cipher Suites in ESXi 8.0 Update 1

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

07.20.2023 by William Lam // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

While investigating this inquiry, I found that you can easily inspect the list of supported TLS cipher suites on a given HTTPS endpoint using the nmap utility


Pictured above are the default TLS cipher suites returned for an ESXi 8.0 Update 1 (Build 21495797) which was also confirmed by Engineering, the the default TLS 1.2 cipher suites are ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES. In addition, you can also find the default TLS ciphers for both vSphere 7.x HERE and vSphere 8.x HERE.

Note: The default TLS 1.2 cipher suites for vCenter Server is ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES and can be modified by editing the /etc/vmware-rhttpproxy/config.xml following the previous syntax as outlined in the VMware KB 79476.

Disclaimer: If you are going to modify the default TLS cipher suite, make sure to do proper testing and that all tools and solutions can continue to communicate with the ESXi host, as some clients may not support the configured TLS cipher suites.

To configure a specific set of TLS cipher suites, the following instructions can be used:

Step 1 - SSH to ESXi host and run the following command with the desired TLS cipher suites:

cat >> cipher.json <<EOF
{
   "vmacore": {
      "ssl": {
         "cipher_list": "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-AES256-GCM-SHA384]"
      }
   }
}
EOF

Step 2 - Run the following command and provide the cipher.json file to update the TLS cipher_list property:

configstorecli config current set -c esx -g services -k rhttpproxy -infile cipher.json

Step 3 (Optional) - If the command was successful, we can also check the settings by running the following command:

configstorecli config current get -c esx -g services -k rhttpproxy

Note: The output is blank out of the box for ESXi as it is simply using the default TLS cipher suites that has been setup by Envoy.

Step 4 - Restart the ESXi Reverse Proxy service for the change to go into effect:

/etc/init.d/rhttpproxy restart

Step 5 - We can also monitor for any errors such as specifying an invalid TLS cipher suite or typo by tailing the ESXi reverse proxy logs using the following:

tail -f /var/log/rhttpproxy.log

If an invalid TLS cipher suite is used, you will see the following error message:

Rhttpproxy[149871]: --> edge_https_v4: Failed to initialize cipher suites [ECDHE-RSA-WILLIAM-LAM-CIPHER-1024]. The following ciphers were rejected when tried individually: ECDHE-RSA-WILLIAM-LAM-CIPHER-1024

If we now re-run the nmap utility against our ESXi host, we should now see that only the configured TLS cipher suites are supported.


I have already left a note on the existing VMware KB 79476 to see if we can get this additional information updated for those running ESXi 8.0 Update 1 or later.

More from my site

  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 Update 1
  • Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI
  • Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 
  • Google Coral USB Edge TPU Accelerator on ESXi
  • USB Network Native Driver Fling for ESXi 8.0 Update 1

Categories // Automation, ESXi, Security Tags // Cipher Suite, envoy, ESXi 8.0 Update 1, TLS, TLS 1.2

Comments

  1. *protectedZeel says

    11/07/2023 at 1:15 am

    Want to know if any ciphers for port 8182 ? Tried to check 8182 port but it does not show ciphers , it shows the blank for 7.0u3 ESXI .(Any known issue)
    same command we can use port 8182 .

    Regards,
    Zeel Mehta

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...