Details
TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 should be enabled on all interfaces and SSLv3, TL 1.1, and 1.0 disabled where supported.
Mandating TLS 1.2 may break third-party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate.
On interfaces where required functionality is broken with TLS 1.2 this finding is not applicable until the third-party software supports TLS 1.2.
Be sure to modify TLS settings in the following order:
1. Platform Services Controllers (if applicable)
2. vCenter
3. ESXi
Solution
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings.
Find the ‘UserVars.ESXiVPsDisabledProtocols’ value and set it to the following:
tlsv1,tlsv1.1,sslv3
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value ‘tlsv1,tlsv1.1,sslv3’
A host reboot is required for changes to take effect.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|I
- CCI|CCI-000366
- Rule-ID|SV-239326r674907_rule
- STIG-ID|ESXI-67-000074
- Vuln-ID|V-239326