SSL/TLS remediation (ESXi 6.0, vCenter, vSphere Client)

Posting here, since piecing it together was a pain in the neck...

I've been assigned the task of eliminating SSLv3 & TLS 1.0 on servers in my environment, including ESXi & vCenter. Qualys scans revealed vulnerabilities related to SSLv3 on our ESXi hosts and vCenter server.

vCenter vulnerabilities, summarized. Despite using Nartac Crypto tool to disable SSLv3 and TLSv1 (and rebooting), Qualys still reported the following results...

3  SSL/TLS Server supports TLSv1.0  port 443/tcp over SSL  (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 8084/tcp over SSL  (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 9087/tcp over SSL  (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 9443/tcp over SSL  (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 11712/tcp over SSL  (QID 38628)

3 SSL/TLS Server supports TLSv1.0  port 636/tcp over SSL  (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 1514/tcp over SSL (QID 38628)

ESXi vulnerabilities, summarized

3  SSL/TLS Server supports TLSv1.0  port 443/tcp over SSL (QID 38628)

3  SSL/TLS Server supports TLSv1.0  port 5989/tcp over SSL (QID 38628)

After making the changes on ESXi hosts and vCenter, I couldn't connect the vSphere client to vCenter, and had to dig up the bit for Step 3. I did not find this information consolidated anywhere, and needed to grind through each step, rescanning with Qualys every step of the way. It may all be in one location somewhere already, but if not, here you go...

Required steps

1. ESXi HOST remediation (https://kb.vmware.com/s/article/2151279)
   1. Edit
      [HOST]/etc/sfcb/sfcb.cfg to add the following lines
      • enableSSLv3:        false
      • enableTLSv1:        false
      • enableTLSv1_1:   false
      • enableTLSv1_2:   true
   2. Issue the
      following command to restart the service and initialize the new TLS config
      • /etc/init.d/sfcbd-watchdog restart
2. vCenter Server remediation (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-145A078D-2F33-4B39-987C-0F2C91BB23CB.html)
   1. Download &
      install the TLS Reconfigurator
   2. Browse to the
      following location
      • C:\Program
        Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
   3. Issue the
      following command to disable SSLv3, TLSv1 & TLSv1.1
      • reconfigurevc.bat update -p TLSv1.2
3. vSphere client update to enable TLSv1.2 connections (https://kb.vmware.com/s/article/2149000)
   1. Browse to the
      following location
      • C:\Program Files (x86)\VMware\Infrastructure\Virtual
        Infrastructure Client\Launcher
   2. Edit VpxClient.exe.config
      as follows
      • From: <add key = “EnableTLS12” value = “false” />
      • To: <add key = “EnableTLS12” value = “true” />