UCF STIG Viewer Logo

The vCenter Server must enable TLS 1.2 exclusively.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243112 VCTR-67-000057 SV-243112r816857_rule Medium
Description
TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third-party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2. Make sure you modify TLS settings in the following order: 1. Platform Services Controls (if applicable), 2. vCenter, 3. ESXi
STIG Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide 2022-09-09

Details

Check Text ( C-46387r816855_chk )
Note: For vCenter Server Windows, this is not applicable.

On the vCenter Server, execute the following command:

# $(find /usr/lib -name reconfigureVc) scan

If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.
Fix Text (F-46344r816856_fix)
On the vCenter Server, execute the following commands:

# $(find /usr/lib -name reconfigureVc) backup
# $(find /usr/lib -name reconfigureVc) update -p TLS1.2

vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted.

You can add the --no-restart flag to restart services at a later time.

Changes will not take effect until all services are restarted or the machine is rebooted.