vSphere TLS Configuration

Starting in 8.0 Update 3, vSphere supports TLS 1.3 and 1.2 through the use of TLS profiles. TLS profiles simplify the job of administering TLS parameters and also improve supportability.

vSphere 8.0 Update 3 activates the default TLS profile, named COMPATIBLE, on ESXi and vCenter Server hosts. The COMPATIBLE profile supports TLS 1.3, and some TLS 1.2 connections.

You can manage TLS profiles on ESXi hosts either by using vSphere Configuration Profiles or esxcli commands. On vCenter Server hosts, you can manage TLS profiles by using the APIs. For example, you can use the Developer Center in the vSphere Client. See vSphere Automation SDKs Programming Guide and vSphere Automation REST API Programming Guide.

vCenter Server and Envoy

vCenter Server runs two reverse proxy services:

VMware reverse proxy service, rhttpproxy
Envoy

Envoy is an open source edge and service proxy. Envoy owns port 443, and all incoming vCenter Server requests are routed through Envoy. The rhttpproxy serves as a configuration management server for Envoy. As a result, the TLS configuration is applied to rhttpproxy, which in turn sends the configuration to Envoy.

How vSphere Implements TLS Using TLS Profiles

vSphere 8.0 Update 3 implements TLS 1.3 by grouping parameters, including protocol versions, groups (also called curves), and ciphers, into a single TLS profile. This TLS profile is applied system-wide. Using a single TLS profile eases administrative overhead of your hosts. You no longer need to manually configure individual TLS parameters, though that capability is still available if required. TLS profiles also significantly improve supportability. The grouping of parameters into TLS profiles simplifies the set of VMware verified TLS solutions from which to choose. On ESXi, TLS profiles are integrated with vSphere Configuration Profiles.

The following ESXi TLS profiles are provided:

COMPATIBLE: The default profile. The exact mapping of the parameters in this profile can change from release to release but the profile is guaranteed to be compatible with all products and versions supported (currently N-2 versions). That is, an ESXi host from release N using the COMPATIBLE profile can communicate with a host from release N-2.
NIST_2024: A more restrictive profile that specifically supports the NIST 2024 standard. The exact mapping of parameters in this profile is guaranteed to satisfy the NIST 2024 standard across releases. This profile is guaranteed to be compatible only with current or newer releases, and not older releases.
MANUAL: Use this profile to create and test an ad hoc configuration in which you manually supply the TLS parameters. It is not guaranteed that a MANUAL profile functions error-free. You must test a MANUAL profile, including across software upgrades. When you choose to use the MANUAL profile, the system behavior first defaults to the profile previously selected (COMPATIBLE or NIST_2024), and remains as such until you make changes. You must use esxcli commands to manage the MANUAL TLS profile. See the help text that ships with esxcli for more information about changing the parameters in a MANUAL TLS profile.

When configuring the TLS profile to the desired state, you must reboot the ESXi host or remediate the vLCM cluster in which the ESXi host resides to apply changes.

The following tables show the details of TLS profiles for ESXi and vCenter Server in vSphere 8.0 Update 3. The Cipher List column shows the TLS ciphers for TLS 1.2 and below protocols. The Cipher Suites column shows the ciphers for the TLS 1.3 protocol.

Table 1. ESXi TLS 1.3 Profiles
TLS Profile Name	TLS Protocol Versions	Cipher List	Cipher Suites	Curves	VMware Supported?
COMPATIBLE	TLS 1.3 and TLS 1.2	ECDHE+AESGCM:ECDHE+AES	TLS_AES_256_GCM_SHA384; TLS_AES_128_GCM_SHA256	prime256v1:secp384r1:secp521r1	Yes
NIST_2024	TLS 1.3 and TLS 1.2	ECDHE+AESGCM	TLS_AES_256_GCM_SHA384; TLS_AES_128_GCM_SHA256	prime256v1:secp384r1:secp521r1	Yes
MANUAL	Any	Any	Any	Any	No

Notes:

Supported settings (protocols, cipher list, cipher suites, and curves) represent at most what is supported.
The NIST_2024 profile applies to inbound connections only.
The BoringSSL cryptographic module used in vSphere 8.0 Update 3 has not yet reached FIPS certification for TLS 1.3 usage. As a result, both on ESXi and vCenter Server, port 443 (Reverse Proxy) communicates using TLS 1.2. The COMPATIBLE and NIST_2024 TLS profiles do not use non-FIPS TLS 1.3.

The following vCenter Server TLS 1.3 profiles are provided:

COMPATIBLE: The default profile. The exact mapping of the parameters in this profile can change from release to release but the profile is guaranteed to be compatible with all products and versions supported (currently N-2 versions).
NIST_2024: A more restrictive profile that specifically supports the NIST 2024 standard. The exact mapping of parameters in this profile is guaranteed to satisfy the NIST 2024 standard across releases. This profile is guaranteed to be compatible only with current or newer releases, and not older releases.
COMPATIBLE-NON-FIPS: A modified profile that allows a non-FIPS TLS 1.3 connection from the Envoy proxy. FIPS is not enabled.

Table 2. vCenter Server TLS 1.3 Profiles
TLS Profile Name	TLS Protocol Versions	Cipher Suites	Curves	FIPS Enabled?	VMware Supported?
COMPATIBLE	TLS 1.3	TLS_AES_256_GCM_SHA384; TLS_AES_128_GCM_SHA256	prime256v1:secp384r1:secp521r1	Yes	Yes
COMPATIBLE	TLS 1.2	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA AES256-SHA AES128-SHA	prime256v1:secp384r1:secp521r1	Yes	Yes
NIST_2024	TLS 1.3	TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256	prime256v1:secp384r1:secp521r1	Yes	Yes
NIST_2024	TLS 1.2	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256	prime256v1:secp384r1:secp521r1	Yes	Yes
COMPATIBLE-NON-FIPS	TLS 1.3	TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256	prime256v1:secp384r1:secp521r1	No	Yes
COMPATIBLE-NON-FIPS	TLS 1.2	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA AES256-SHA AES128-SHA	prime256v1:secp384r1:secp521r1	No	Yes

Note: You can switch back and forth between TLS profiles. For example, if you change from using the COMPATIBLE profile to using the NIST_2024 profile, you can switch back to using the COMPATIBLE profile. There is no limitation on switching back and forth between TLS profiles. For more information, see Managing vSphere TLS.

TLS and Inbound and Outbound Connections in ESXi and vCenter Server

ESXi 8.0 Update 3 supports TLS 1.3 on both inbound (server) and outbound (client) connections. The ESXi inbound (server) connections are of most concern, and where the more restrictive NIST_2024 profile applies.

For ESXi, you can use the COMPATIBLE, NIST_2024, and MANUAL settings on inbound (server) connections. You can use the COMPATIBLE and MANUAL settings on outbound (client) connections.

vCenter Server TLS profiles apply their settings to both inbound and outbound connections.

Some vSphere services expose ports that accept TLS connections, while most services use the Reverse Proxy. All inbound connections accept TLS 1.2 and TLS 1.3 by default. Currently, port 443 (Reverse Proxy) has TLS 1.3 disabled and communicates by using TLS 1.2. Outbound connections support TLS 1.2 and TLS 1.3. For more information, see TLS 1.3 on Port 443 in ESXi and FIPS.

TLS and Lifecycle Management

Upgrading or migrating an ESXi host or vCenter Server host to 8.0 Update 3 enables the COMPATIBLE TLS profile by default. vSphere 8.0 Update 3 supports TLS 1.3, and TLS 1.2 for bare minimum interoperability out of the box. In the future, upgrading to a later version of ESXi or vCenter Server retains the current TLS profile in use as long as that profile has not been retired.

When upgrading to a new version, as a recommended best practice, first set the TLS profile to COMPATIBLE.

If you make local service-level edits before upgrading to vSphere 8.0 Update 3, after the upgrade, the host is assigned the COMPATIBLE profile, which does not reflect those changes. To have the host reflect those changes, switch to using the MANUAL profile. See Change the TLS Profile of an ESXi Host Using the vSphere Client or Change the TLS Profile of an ESXi Host Using the CLI.

Warning: The MANUAL TLS profile is not guaranteed to work error-free across upgrades. You must verify that an edited MANUAL TLS profile functions from one release to another, or switch to the COMPATIBLE TLS profile prior to upgrading.

TLS 1.3 on Port 443 in ESXi and FIPS

Currently, vSphere disables TLS 1.3 on port 443. The version of Boring SSL cryptographic module used in vSphere 8.0 Update 3 is not FIPS certified for TLS 1.3. When using the COMPATIBLE or NIST_2024 TLS profile, all ports except 443 communicate by TLS 1.3. For now, because of this issue, port 443 uses TLS 1.2.

To enable non-FIPS TLS 1.3 on port 443, see the VMware knowledge base article at https://kb.vmware.com/s/article/92473.