You can use the TLS Configuration utility to disable TLS versions on an ESXi host. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2.

For ESXi hosts, you use a different script than for the other components of your vSphere environment.

Note: The script disables both TLS 1.0 and TLS 1.1 unless you specify the -p option.

To view the current TLS versions, you can connect to an ESXi host and run openssl commands similar to the following:

openssl s_client -tls1 -connect localhost:443 | head -5
openssl s_client -tls1_1 -connect localhost:443 | head -5
openssl s_client -tls1_2 -connect localhost:443 | head -5

Prerequisites

Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

This procedure explains how to perform the task on a single host. You can write a script to configure multiple hosts.

Procedure

  1. Log in to the vCenter Server system with the user name and password of the vCenter Single Sign-On user who can run scripts.
  2. Go to the directory where the script is located.
    OS Command
    Windows
    cd ..\EsxTlsReconfigurator
    Linux
    cd ../EsxTlsReconfigurator
  3. On a host that is part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
      Linux
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
      Linux
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
  4. On an individual host, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2
      Linux
      ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2
      Note: To reconfigure a standalone ESXi host (one that is not part of a vCenter Server system), use the ESXiHost -h HOST -u ESXi_USER options. For the HOST option, you can specify the IP address or FQDN of a single ESXi host, or a list of host IP addresses or FQDNs. For example, to enable both TLS 1.1 and TLS 1.2 on two ESXi hosts:
      reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the following command.
      OS Command
      Windows
      reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2
      Linux
      ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2
  5. Reboot the ESXi host to complete the TLS protocol changes.