VCTR-67-000057 - The vCenter Server must enable TLS 1.2 exclusively.

Information

TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third-party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2.

Make sure you modify TLS settings in the following order: 1. Platform Services Controls (if applicable), 2. vCenter, 3. ESXi

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

On the vCenter Server, execute the following commands:

# $(find /usr/lib -name reconfigureVc) backup
# $(find /usr/lib -name reconfigureVc) update -p TLS1.2

vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted.

You can add the --no-restart flag to restart services at a later time.

Changes will not take effect until all services are restarted or the machine is rebooted.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243112r879887_rule, STIG-ID|VCTR-67-000057, Vuln-ID|V-243112

Plugin: VMware

Control ID: 1628bc93bb54f747436eb68bb1102747f50485318c6a19602db6ae85231cd136