The process of hardening an Environment is always a matter of long discussion and required in some a case a lot of additional advanced configuration in order to respect the “Security” standards. If you get here probably you are dealing with all of this, in particular with the TLS protocol hardening. Before starting and getting to the point of this article I really recommend you to read the great VMware documentation you can find here: https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-82028A21-8AB5-4E2E-90B8-A01D1FAD77B1.html
In my case, I’ve already done the steps needed for disabling the 1.0 and 1.1 TLS Protocols of my vCenter with Embedded PSC and now I need to perform the step regarding the ESXi Hosts.
I just paste here the step directly from the VMware documentation:
- Ports That Support Disabling TLS Versions
When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1. [Read more] - Disabling TLS Versions in vSphere
Disabling TLS versions is a multi-phase process. Disabling TLS versions in the right order ensures that your environment stays up and running during the process. [Read more] - Install the TLS Configuration Utility
You can download the TLS Configuration utility from MyVMware.com and install it on your local machine. After installation, two scripts are available. One script is for configuration of vCenter Server and Platform Services Controller, and one script is for ESXi configuration. [Read more] - Perform an Optional Manual Backup
The TLS Configuration utility performs a backup each time the script modifies vCenter Server, Platform Services Controller, or vSphere Update Manager. If you need a backup to a specific directory, you can perform a manual backup. [Read more] - Disable TLS Versions on vCenter Server Systems
You can use the TLS Configuration utility to disable TLS versions on vCenter Server systems. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2. [Read more] - Disable TLS Versions on ESXi Hosts
You can use the TLS Configuration utility to disable TLS versions on an ESXi host. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2. [Read more] - Disable TLS Versions on Platform Services Controller Systems
If your environment includes one or more Platform Services Controller systems, you can use the TLS Configuration utility to change which versions of TLS are supported. [Read more] - Revert TLS Configuration Changes
You can use the TLS Configuration utility to revert configuration changes. When you revert the changes, the system enables protocols that you disabled using TLS Configurator utility. [Read more] - Disable TLS Versions on vSphere Update Manager
At this point, I just followed this step in order to disable the TLS 1.0 and 1.1 for a cluster (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-BDCE47DD-8AD2-4C98-94FF-7769D0BEE1C2.html) by launching this command:
./reconfigureEsx vCenterCluster -c Cluster_Name -u administrator@vsphere.local -p TLSv1.2
but immediately after that, I get the following error:
“EOF occurred in violation of protocol”
By doing some research I found on this reddit thread a user that had the exact same issue. In the end, the solution for him was to get in touch with the support and disable the “Proxy” if you have it configured on the appliance VAMI but ALSO via ssh by modifying this file “/etc/sysconfig/proxy” that store that configuration. In order to do that I’ve just opened the file with a file editor, “vi” for example, and edited this line:
PROXY_ENABLED=”yes” into PROXY_ENABLED=”no”
After that, you must reboot the vCenter to let the changes take effect:
reboot -f
