The ESXi host must enable TLS 1.2 exclusively for the SFCB service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-94481 | ESXI-65-000073 | SV-104311r1_rule | Medium |
| Description |
|---|
| TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be enabled on all interfaces and SSLv3, TL 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2. Make sure you modify TLS settings in the following order: 1. Platform Services Controllers (if applicable), 2. vCenter, 3. ESXi |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 ESXi Security Technical Implementation Guide | 2019-12-13 |
Details
| Check Text ( C-93667r1_chk ) |
|---|
| Temporarily enable SSH, connect to the ESXi host and run the following command: grep "enableTLS" /etc/sfcb/sfcb.cfg If the output indicates that any protocol is enabled other than TLSv1_2, this is a finding. |
| Fix Text (F-100597r1_fix) |
|---|
| Temporarily enable SSH, connect to the ESXi host and run the following command: cp -f /etc/sfcb/sfcb.cfg /etc/sfcb/sfcb.cfg.orig grep -v "enableTLS" /etc/sfcb/sfcb.cfg.orig>/etc/sfcb/sfcb.cfg echo enableTLSv1: false>>sfcb.cfg echo enableTLSv1_1: false>>sfcb.cfg echo enableTLSv1_2: true>>sfcb.cfg /etc/init.d/sfcbd-watchdog restart |