VCRP-67-000004 - The rhttpproxy must use cryptography to protect the integrity of remote sessions.

Information

The rhttpproxy can be configured to support TLS 1.0, 1.1 and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttproxy configuration is commented out by default, and this configuration forces TLS 1.2. The block may also be set to 'tls1.2' in certain upgrade scenarios, but the effect is the same.

Solution

Navigate to and open /etc/vmware-rhttpproxy/config.xml.

Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows:

<protocols>tls1.2</protocols>

Restart the service for changes to take effect.

# vmon-cli --restart rhttpproxy

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-001453, Rule-ID|SV-240719r879520_rule, STIG-ID|VCRP-67-000004, Vuln-ID|V-240719

Plugin: Unix

Control ID: 55e3a39571136bebe05e93f044bb67c94def73f2078218ffb4d681aba8f2c157