A couple of weeks back, I had received a question from one of our TAMs in regards to automating the disablement of specific TLS/SSL protocols for their ESXi 6.0 Update 3 hosts. As of vSphere 6.0 Update 3 and vSphere 6.5, customers now have the ability to completely disable TLS 1.0, TLS 1.1 and SSLv3 using the new TLS Reconfiguration Tool. Mike Foley did a nice write up here if you are interested in more details.

The TLS Reconfiguration Tool works well if you have the same version of vSphere for both your vCenter Server and ESXi host, but has challenges when you are in a mixed environment like this particular customer. In their environment, they are running vCenter Server 6.5 and ESXi 6.5 Update 3 which prevented them from using the TLS Reconfiguration Tool as this is a limitation with the tool today.

UPDATE (05/11/17) - Added support for ESXi 6.5 hosts as well

Given the TLS Reconfiguration Tool was written in Python, I was able to take a closer look at its implementation and I found that the settings that controlled the disabled protocols were just merely a few ESXi Advanced Settings which meant that this could be automated using standard vSphere Automation Tools that our customers were already familiar with. As part of this exercise, I also discovered the tool currently does NOT support disabling TLS/SSLv3 protocols for the Small Footprint CIM Broker (SFCB) service which is also required if you want to be in full compliance for a particular TLS protocol. Although there is not a direct SFCB API that allows you to manage the sfcb.cfg configuration file, there is still a way we can automate this without requiring SSH to the ESXi host which would technically be the alternative. Lastly, I was a bit surprised to see the TLS Reconfiguration Tool did not have a "query" option for listing the current disabled protocols for all ESXi hosts, but they do have it for vCenter Server itself.

To help this particular customer and others who may have specific TLS compliance requirements, I have created the following PowerCLI script called ESXiDisableProtocolConfiguration.ps1 which includes the following two functions:

  • Get-ESXiDPC - Retrieve the current disabled protocols for all ESXi hosts within a vSphere Cluster
  • Set-ESXiDPC - Configure the specific disabled protocols for all ESXi hosts within a vSphere Cluster

This script only work against ESXi hosts running 6.0 Update 3 or 6.5 and there is code to verify before it performs either the Get or Set operation. If you plan on making changes to the disabled protocols, please treat this like any other change by migrating all VMs off your ESXi host prior to the change. You will also be required to reboot the host for the changes to go into effect.

Here is an example of running the Get-ESXiDPC function on a vSphere Cluster consisting of ESXi 6.0 Update 3 hosts:

Get-ESXiDPC -Cluster VSAN-Cluster

The output above is for a stock installation of ESXi 6.0 Update 3 which by default, has SSLv3 disabled for all services. For hostd, authd & ioFilterVSANVP services, TLS 1.0, TLS 1.1 & TLS 1.2 are enabled by default. For sfcbd service, only TLS 1.2 is enabled by default.

Lets say now, we want to only enable TLS 1.2 (e.g. disable TLS 1.0, 1.1 & SSLv3) for all services, we can use the Set-ESXiDPC function by running the following command:

Set-ESXiDPC -Cluster VSAN-Cluster -TLS1 $true -TLS1_1 $true -TLS1_2 $false -SSLV3 $true

Note: This function configures the "disabled" protocols, so if you want a given protocol to be enabled, you will need to pass in a value of $false

If we now re-run our Get operation, we can see that we have now completely disable TLS 1.0, 1.1 & SSLv3 and we have only allowed TLS 1.2 to be enabled by default.

For the changes to go into affect, make sure to reboot your ESXi host.

I would like to give a big thanks to Blair Fritz for helping me out with the initial testing of the script. We have also shared all this feedback with the folks who works on TLS Reconfiguration Tool and hopefully we will see these other features implemented in a future update.

8 thoughts on “Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI

  1. Want to inform and confirm that to disable TLS has recommended sequence i.e. vCenter, ESXi & PSC. So if disable TLS 1.0 only for ESXi that can could cause some issue?

  2. Hi Wiliam,

    Can You provide some additional guidance for less experience power shell user – how to use/run script in different environment ?

    Thanks in advance 🙂

  3. I noticed on hosts that I have upgraded from esxi 6.0 u2 to 6.5d the command does not work correctly.
    It did set the options correctly in uservars.esxirhttpproxy like it should have and I rebooted but TLS1 and TLSv1.1 were open

    I verified using openssl s_client -connect localhost:443 -tls1 and openssl s_client -connect localhost:443 -tls1_1

    In order to fix this I had to edit /etc/VMware/rhttpproxy/config.xml and change the ssloptions to 386023424
    then do /etc/init.d/rhttpproxy restart

    after testing again TLSv1 and TLSv1.1 were closed

  4. Hi William,

    you mentioned, the tool does not dsupport isable TLS/SSLv3 for the sfcb. So, that what I can confirm, after running a scan against current 6.5 host. The report complains about the following :

    10.x.x.x:5989 Negotiated with the following insecure cipher suites: TLS 1.0 ciphers:

    Two questions :

    – do you know if the tool will support disabling TLS/SSLv3 at some date ?

    – running you script against the affected host says, it IS disabled ?!

    Disabled Protocols on all ESXi hosts:
    vmhost : hostname.domain
    version : 6.5 Update 1
    hostd : sslv3,tlsv1,tlsv1.1
    authd : tlsv1,tlsv1.1,sslv3
    sfcbd : tlsv1,tlsv1.1,sslv3
    ioFilterVSANVP : sslv3,tlsv1,tlsv1.1


Thanks for the comment!