Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243112 | VCTR-67-000057 | SV-243112r816857_rule | Medium |
Description |
---|
TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third-party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2. Make sure you modify TLS settings in the following order: 1. Platform Services Controls (if applicable), 2. vCenter, 3. ESXi |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2022-01-04 |
Check Text ( C-46387r816855_chk ) |
---|
Note: For vCenter Server Windows, this is not applicable. On the vCenter Server, execute the following command: # $(find /usr/lib -name reconfigureVc) scan If the output indicates versions of TLS other than 1.2 are enabled, this is a finding. |
Fix Text (F-46344r816856_fix) |
---|
On the vCenter Server, execute the following commands: # $(find /usr/lib -name reconfigureVc) backup # $(find /usr/lib -name reconfigureVc) update -p TLS1.2 vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted. You can add the --no-restart flag to restart services at a later time. Changes will not take effect until all services are restarted or the machine is rebooted. |