You can use the TLS Configuration utility to disable TLS versions on an ESXi host. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2.
For ESXi hosts, you use a different script than for the other components of your vSphere environment.
Note: The script disables both TLS 1.0 and TLS 1.1 unless you specify the
-p option.
To view the current TLS versions, you can connect to an ESXi host and run openssl
commands similar to the following:
openssl s_client -tls1 -connect localhost:443 | head -5
openssl s_client -tls1_1 -connect localhost:443 | head -5
openssl s_client -tls1_2 -connect localhost:443 | head -5
Prerequisites
Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.
This procedure explains how to perform the task on a single host. You can write a script to configure multiple hosts.
Procedure
- Log in to the vCenter Server system with the user name and password of the vCenter Single Sign-On user who can run scripts.
- Go to the directory where the script is located.
OS |
Command |
Windows |
cd ..\EsxTlsReconfigurator |
Linux |
cd ../EsxTlsReconfigurator |
- On a host that is part of a cluster, run one of the following commands.
- To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command.
OS |
Command |
Windows |
reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2 |
Linux |
./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2 |
- To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command.
OS |
Command |
Windows |
reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2 |
Linux |
./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2 |
- On an individual host, run one of the following commands.
- To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command.
OS |
Command |
Windows |
reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2 |
Linux |
./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.1 TLSv1.2 |
Note: To reconfigure a standalone
ESXi host (one that is not part of a
vCenter Server system), use the
ESXiHost
-h
HOST
-u
ESXi_USER options. For the
HOST option, you can specify the IP address or FQDN of a single
ESXi host, or a list of host IP addresses or FQDNs. For example, to enable both TLS 1.1 and TLS 1.2 on two
ESXi hosts:
reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2
- To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the following command.
OS |
Command |
Windows |
reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2 |
Linux |
./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u Administrative_User -p TLSv1.2 |
- Reboot the ESXi host to complete the TLS protocol changes.