Use the ciphers command of the cell management tool to configure the set of cipher suites that the cell offers to use during the SSL handshake process.
- Create new certificates that do not use any of the disallowed ciphers. You can use cell-management-tool ciphers -a as shown in List All Allowed Ciphers to list all the ciphers that are allowed in the default configuration.
- Use the cell-management-tool certificates command to replace the cell's existing certificates with the new ones.
- Use the cell-management-tool ciphers command to reconfigure the list of allowed ciphers to exclude any ciphers not used by the new certificates. Excluding these ciphers can make it faster to establish an SSL connection to the cell, since the number of ciphers offered during the handshake is reduced to the practical minimum.
Important: Because the VMRC console requires the use of the AES256-SHA and AES128-SHA ciphers, you cannot disallow them if your vCloud Director clients use the VMRC console.
cell-management-tool ciphers options
|--help (-h)||None||Provides a summary of available commands in this category.|
|--all-allowed (-a)||None||List all allowed ciphers.|
|--compatible-reset (-c)||None||Reset to default list of allowed ciphers, and also allow ciphers used by this cell's certificates.|
|--disallow (-d)||Comma-separated list of cipher names, as published at http://www.openssl.org/docs/apps/ciphers.html||Disallow the ciphers in specified comma-separated list.|
|--list (-l)||None||List currently configured ciphers.|
|--reset (-r)||None||Reset to default list of allowed ciphers. If this cell's certificates use disallowed ciphers, you will not be able to make an SSL connection to the cell until you install new certificates that use an allowed cipher.|
List All Allowed Ciphers
Use the --all-allowed (-a) option to list all the ciphers that the cell is currently allowed to offer during an SSL handshake.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers –a * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Disallow Two Ciphers
Use the --disallow (-d) option to remove one or more ciphers from the list of allowed ciphers. This option requires at least one cipher name. You can supply multiple cipher names in a comma-separated list. You can obtain names for this list from the output of ciphers –a. This example removes two ciphers listed in the previous example.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers –d SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA