UCF STIG Viewer Logo

Lighttpd must use an approved TLS version for encryption.


Finding ID Version Rule ID IA Controls Severity
V-89317 VRAU-LI-000485 SV-99967r1_rule High
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including SSLv2 and SSLv3, hence SSL versions 1, 2, and 3 should no longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS 1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations. Lighttpd must explicitly disable all of the SSL-series protocols. If these protocols are not disabled, the vRA appliance may be vulnerable to a loss of confidentiality.
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide 2018-10-12


Check Text ( C-89009r1_chk )
At the command prompt, execute the following command:

Note: The command should return 2 outputs: ssl.use-sslv2 and ssl.use-sslv3

grep '^ssl.use-sslv' /opt/vmware/etc/lighttpd/lighttpd.conf

If the value returned for "ssl.use-sslv2" and "ssl.use-sslv3" are not set to "disable", this is a finding.
Fix Text (F-96059r1_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf

Configure the lighttpd.conf file with following:

ssl.use-sslv2 = "disable"

ssl.use-sslv3 = "disable"