HAProxy must be configured to use only FIPS 140-2 approved ciphers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-240065 | VRAU-HA-000210 | SV-240065r879616_rule | Medium |
| Description |
|---|
| Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2023-09-12 |
Details
| Check Text ( C-43298r665362_chk ) |
|---|
| At the command prompt, execute the following command: grep -E 'bind.*ssl' /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg If the return value for SSL cipher list is not set to "FIPS: +3DES:!aNULL", this is a finding. |
| Fix Text (F-43257r665363_fix) |
|---|
| Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the frontend section in each file. Configure the bind keyword file with this cipher list: 'FIPS: +3DES:!aNULL' |