Use the ciphers command of the cell management tool to configure the set of cipher suites that the cell offers to use during the SSL handshake process.
When a client makes an SSL connection to a VMware Cloud Director cell, the cell offers to use only those ciphers that are configured on its default list of allowed ciphers. Several ciphers are not on this list, either because they are not strong enough to secure the connection, or because they are known to contribute to SSL connection failures.
- Create certificates that do not use any of the disallowed ciphers. You can use cell-management-tool ciphers -a as shown in the example below to list all the ciphers that are allowed in the default configuration.
- Use the cell-management-tool certificates command to replace the cell's existing certificates with the new ones.
- Use the cell-management-tool ciphers command to reconfigure the list of allowed ciphers and to include all necessary ciphers for use with the new certificates.
Important: Because the VMRC console requires the use of the AES256-SHA and AES128-SHA ciphers, you cannot disallow them if your VMware Cloud Director clients use the VMRC console.
cell-management-tool ciphers options
Option | Argument | Description |
---|---|---|
--help (-h) | None | Provides a summary of available commands in this category. |
--all-allowed (-a) | None | List all ciphers that VMware Cloud Director supports. |
--compatible-reset (-c) (Deprecated) | None | Deprecated. Use the --reset option to reset to the default list of allowed ciphers. |
--disallow (-d) | Comma-separated list of cipher names. | Disallow the ciphers in specified comma-separated list. Every time you run this option, you must include the full list of ciphers you want to deactivate because running the option overwrites the previous setting.
Important: Running the option without any values activates all ciphers.
To view all possible ciphers, run the -a option.
Important: You must restart the cell after running
ciphers --disallow.
|
--list (-l) | None | List the set of allowed ciphers that are currently in use. |
--reset (-r) | None | Reset to the default list of allowed ciphers. If this cell's certificates use disallowed ciphers, you cannot make an SSL connection to the cell until you install new certificates that use an allowed cipher.
Important: You must restart the cell after running
ciphers --reset.
|
Disallow Two Ciphers
VMware Cloud Director includes a preconfigured list of enabled ciphers.
This example shows how to enable additional ciphers from the list of allowed ciphers and how to disallow ciphers that you don't want to use.
- Obtain the list of the ciphers that are enabled by default.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers -l
The output of the command returns the list of enabled ciphers.Allowed ciphers: * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Obtain a list of all the ciphers that the cell can offer during an SSL handshake.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers -a
The output of the command returns the list of allowed ciphers.# ./cell-management-tool ciphers -a Product default ciphers: * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * TLS_RSA_WITH_AES_256_GCM_SHA384 * TLS_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA
- Specify which ciphers to deactivate.
If you run the command and you don't explicitly deactivate a cipher, it becomes activated.
[root@cell1 /opt/vmware/vcloud-director/bin]#./cell-management-tool ciphers -d TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- Run the command to check the list of activated ciphers. Any cipher that is absent from the list is deactivated.
root@bos1-vcd-static-211-90 [ /opt/vmware/vcloud-director/bin ]# ./cell-management-tool ciphers -l
The output returns a list of all the ciphers that are now enabled.Allowed ciphers: * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * TLS_RSA_WITH_AES_256_GCM_SHA384 * TLS_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA