The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251798	TNDM-3X-000101	SV-251798r879588_rule		Medium

Description
TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported.

STIG	Date
VMware NSX-T Manager NDM Security Technical Implementation Guide	2023-06-22

Details

Check Text ( C-55258r810395_chk )
Viewing TLS protocol enablement must be done via the API. Execute the following API call using curl or another REST API client: GET https:///api/v1/cluster/api-service Expected result: "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true } ], If TLS 1.1 is enabled, this is a finding.

Fix Text (F-55212r810396_fix)
Capture the output from the check GET command and update the TLS 1.1 protocol to false. Execute the following API call using curl or another REST API client: PUT https:///api/v1/cluster/api-service Example request body: { "global_api_concurrency_limit": 199, "client_api_rate_limit": 100, "client_api_concurrency_limit": 40, "connection_timeout": 30, "redirect_host": "", "cipher_suites": [ {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"} {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}", {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"}, {"enabled": false, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}, {"enabled": false, "name": "TLS_RSA_WITH_AES_128_CBC_SHA"} ], "protocol_versions": [ {"enabled": false, "name": "TLSv1.1"}, {"enabled": true, "name": "TLSv1.2"} ] } Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.

Fix Text (F-55212r810396_fix)

Capture the output from the check GET command and update the TLS 1.1 protocol to false.

Execute the following API call using curl or another REST API client:

PUT https:///api/v1/cluster/api-service

Example request body:

{
"global_api_concurrency_limit": 199,
"client_api_rate_limit": 100,
"client_api_concurrency_limit": 40,
"connection_timeout": 30,
"redirect_host": "",
"cipher_suites": [
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"}
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}",
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"},
{"enabled": false, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
{"enabled": false, "name": "TLS_RSA_WITH_AES_128_CBC_SHA"}
],
"protocol_versions": [
{"enabled": false, "name": "TLSv1.1"},
{"enabled": true, "name": "TLSv1.2"}
]
}

Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.