Lighttpd must be configured to use only FIPS 140-2 approved ciphers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89281 | VRAU-LI-000245 | SV-99931r1_rule | Medium |
| Description |
|---|
| Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. |
| STIG | Date |
|---|---|
| VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88973r1_chk ) |
|---|
| At the command prompt, execute the following command: grep 'ssl.cipher-list' /opt/vmware/etc/lighttpd/lighttpd.conf If the return value for "ssl.cipher-list" is not set to "FIPS: +3DES:!aNULL", this is a finding. |
| Fix Text (F-96023r1_fix) |
|---|
| Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf file Configure the lighttpd.conf file with the following: ssl.cipher-list = "FIPS: +3DES:!aNULL" |