UCF STIG Viewer Logo

HAProxy must be configured to use only FIPS 140-2 approved ciphers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-89167 VRAU-HA-000210 SV-99817r1_rule Medium
Description
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.
STIG Date
VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide 2018-10-12

Details

Check Text ( C-88859r1_chk )
At the command prompt, execute the following command:

grep -E 'bind.*ssl' /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg

If the return value for SSL cipher list is not set to "FIPS: +3DES:!aNULL", this is a finding.
Fix Text (F-95909r2_fix)
Navigate to and open the following files:

/etc/haproxy/conf.d/30-vro-config.cfg
/etc/haproxy/conf.d/20-vcac.cfg

Navigate to the frontend section in each file.

Configure the bind keyword file with this cipher list:

'FIPS: +3DES:!aNULL'