vSphere Infra - Disable TLSv1 and TLSv1.1

vSphere Infra - Disable TLSv1 and TLSv1.1

below are the methods used in vSphere 6.5 and 6.7

Disable TLSv1 and TLSv1.1 on vCenter Server Appliance

1) Scan to check current status

/usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan

Above scan result shows us there are TLSv1.0 and TLSv1.1 enabled. 

2) Now to enable only TLS1.2 use below command

Note-: This is not a live change. Proceeding this step will restart vCenter services. 

/usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator/reconfigureVc update -p TLSv1.2

Once complete you can see

Disable TLSv1 and TLSv1.1 on ESXi servers

1) On VCSA appliance CD to ESXTLSReconfigu

cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator

You have three options.

a) Run it against ESXi host / ESXi hosts

b) Run it against vCenter Cluster / vCenter Clusters

To run it against a vCenter cluster / vCenter clustes 

./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple cluster names in comma separated format. 

To run it against ESXi host / ESXi hosts

./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple ESXi names / IP address in comma separated format. 

Also take a look at William's script here. There are two functions here, which makes it much easier and can also scan ESXi hosts, which is missing in reconfigureEsx natively.

https://www.virtuallyghetto.com/2017/05/auditing-automating-disabled-protocols-tlssslv3-for-esxi-6-0u3-using-powercli.html