Saturday, November 19, 2016

PCI DSS / FIPS 140-2 - TLS 1.0 / 1.1 disablement and VMware products

UPDATE - 3/4/2017

With the November 15, 2016 release of vSphere 6.5 and the February 28, 2017 release of vSphere 6.0 Update 3, VMware customers now have the ability to disable TLS 1.0 and TLS 1.1 for the majority of the VMware products they use. There are a few products still being worked on and updates or releases are pending. Specific product status is outlined in kb 2145796 and there is a link to the kb article below.

NOTE: Review the kb articles closely as there are caveats for some products that are still being addressed.

NOTE: If you don't see your product or version listed in the kb article, it is very possible it will not be updated to support TLS 1.0 / 1,1 disablement. You may need to upgrade to a newer version of a product to get support for TLS 1.0 / 1,1 disablement.

TLS 1.0 disablement is critical to pass PCI DSS compliance scans and audits which must be completed by June 30, 2018. In addition to PCI DSS, there are many regulatory bodies, government agencies and company policies which have security and compliance requirements for TLS 1.0 / 1.1 disablement. This includes FIPS 140-2 standard which requires a minimum of TLS 1.1 and recommends TLS 1.2.

Before attempting to disable TLS 1.0 or TLS 1.1, it is critical to review all VMware products along with any third party products you are using, such as backup or monitoring software that talk directly with either vCenter or ESXi hosts, to make sure they continue to function with TLS 1.0 / 1.1 disabled and only TLS 1.2 enabled. It is likely that updates will need to be installed for both VMware and third party products to versions which support TLS 1.0 / 1.1 disablement and utilize TLS 1.2 BEFORE attempting to disable TLS 1.0 or TLS 1.1.

Below are links to the official VMware kb articles and the location where you can download the scripts for either the Windows vCenter or the vCenter Appliance. The scripts are needed to change the TLS Configuration on vCenter, ESXi hosts and VUM. Other VMware products have their own kb article on how to manually change the TLS Configuration.

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796)

vSphere 6.5:
Managing TLS protocol configuration for vSphere 6.5 (2147469)

Link to download TLS configuration script for vSphere 6.5:

vSphere 6.0 Update 3:
Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)

Link to download TLS configuration script for vSphere 6.0 Update 3: