3.26 (L1) Host must enable the highest version of TLS supported

Information

The host should be configured to operate using the highest version of TLS supported to ensure secure communications. ESXi 8, by default, comes with TLS 1.2 enabled, although re-enabling other protocols is possible if required. Employing the highest version of TLS aids in protecting against known vulnerabilities present in older versions. The parameter governing this behavior is UserVars.ESXiVPsDisabledProtocols with the recommended setting of "sslv3,tlsv1,tlsv1.1".

Employing the highest version of TLS supported enhances the security posture by ensuring that communications are protected with modern encryption standards. This mitigates risks associated with known vulnerabilities in outdated TLS versions.

Solution

Impact:

Failure to enable the highest version of TLS supported may expose the host to vulnerabilities present in older versions, potentially compromising the confidentiality and integrity of communications.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: VMware

Control ID: 8256161dadfffe95e5b028b09cfa65c94af7e8e78b6b83a9d2ca658522a6081c