Detections
Analytics
VCFL-67-000005 - vSphere Client must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
Information
Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications can potentially be compromised.The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), approved ciphers provide the maximum level of encryption possible for a private web server.
The Tomcat connector listening on 9443 comes preconfigured with appropriate FIPS ciphers by default, but this must be verified.
Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000110, SRG-APP-000439-WSR-000188
Solution
Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml.Ensure that the SSLHostConfig contains the following value:
ciphers='TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA'
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 Virgo Client v1r2
Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|SC-8, CAT|I, CCI|CCI-000068, CCI|CCI-002418, Rule-ID|SV-239747r879519_rule, STIG-ID|VCFL-67-000005, Vuln-ID|V-239747
Plugin: Unix
Control ID: c17dee816ee8e7a4257dd653f564e292130c7a2231b9ce7d1bd9fe58e4ad01a2