VCLD-67-000002 - VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

Information

Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications can potentially be compromised.

The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), identifies 11 areas for a cryptographic module used inside a security system that protects information. FIPS 140-2 approved ciphers provide the maximum level of encryption possible for a private web server.

VAMI is compiled to use VMware's FIPS-validated OpenSSL module and cannot be configured otherwise. Ciphers may still be specified in order of preference, but no non-FIPS-approved ciphers will be implemented.

Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188

Solution

Navigate to and open /etc/applmgmt/appliance/lighttpd.conf.

Add or reconfigure the following value:

ssl.cipher-list = '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

Item Details

References: CAT|I, CCI|CCI-000068, CCI|CCI-000803, CCI|CCI-002418, Rule-ID|SV-239716r679258_rule, STIG-ID|VCLD-67-000002, Vuln-ID|V-239716

Plugin: Unix

Control ID: fe1f45144691f6adca1bce4afd11329e9f2c56d24065b87ef7624d02e71ee45d