HAProxy must set the no-sslv3 value on all client ports.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89211 | VRAU-HA-000460 | SV-99861r1_rule | High |
| Description |
|---|
| Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88903r1_chk ) |
|---|
| At the command prompt, execute the following command: grep -EnR '\bbind\b.*\bssl\b' /etc/haproxy Verify that each returned line contains the no-sslv3 value. If any lines do not have this value, this is a finding. |
| Fix Text (F-95953r1_fix) |
|---|
| Navigate to and open /etc/haproxy/conf.d/30-vro-config.cfg Navigate to and configure the "frontend https-in-vro-config" section with the following value: bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following value: bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 |