UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256318 VCSA-70-000009 SV-256318r885565_rule High
Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. Satisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP-000157, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000625
STIG Date
VMware vSphere 7.0 vCenter Security Technical Implementation Guide 2023-03-01

Details

Check Text ( C-59993r885563_chk )
At the command prompt on the vCenter Server Appliance, run the following command:

# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan

If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.
Fix Text (F-59936r885564_fix)
At the command prompt on the vCenter Server Appliance, run the following commands:

# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup

# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLS1.2

vCenter services will be restarted as part of the reconfiguration. The operating system will not be restarted.

The "--no-restart" flag can be added to restart services at a later time.

Changes will not take effect until all services are restarted or the appliance is rebooted.

Note: This change should be performed on vCenter prior to ESXi.