Turn off TLS 1.0 in vSphere 6.5
If your vulnerability scanner is alerting on TLS 1.0 in your vSphere environment, you can easily turn if off with the TLS Configurator Utility.
Except- when I was using it, I ran into a few issues- one of which blew my maintenance window. Thankfully, it was just DR, and I wasn’t able to start, so I just had to go back to Change Control and tell them I needed to reschedule.
As always, you need to test this before you put this into prod. If you don’t have a lower environment to test on, then at least have a back out plan.
The TLS Configurator allows you to make an optional backup of your vCenter Server, which you should do.
I’m not going to rewrite the multi-page VMware documentation, just tell you about what VMware was missing:
- Your vCenter will reboot after the change (with your Y/N approval). Pretty much any time you change TLS or SSL (you’re not still using SSL, are you?), you’ll have to reboot the thing. You can opt out of the reboot, but the changes won’t take affect until you do so. I’m actually blown away by how fast the vCenter Server Appliance reboots in 6.5.
- You can do one ESXi host at a time or the cluster. I did the cluster. Way faster. Make sure you have some privileged username and password for the TLS Configurator. I used administrator@vsphere.local. Don’t put the password in the command after -p as you will be prompted for it.
- You will need to SSH to the VCSA with the root username and password. If your ESXi hosts are managed you do it all from the VCSA.
- You will need to reboot each ESXi host. This isn’t totally clear in the documentation. They talk about doing the cluster or doing a standalone ESXi host, then about a reboot.
- THE BIG ONE: You need the version of the TLS Configurator Utility for your build of vSphere. The numbers won’t probably match. My issue was that I used an older one (build number in the 400,000 range) when I was on the latest build of vSphere (1,000,000 range). This created a show-stopping error for me, and I made a case with support. If you’re patched to latest, just get the latest TLS Configurator Utility and you’re good.
Once I got past the version issue, the rest was fine. It even gives you a before and after status on your vCenter: