VCLD-70-000025 - VAMI must force clients to select the most secure cipher.

Information

During a Transport Layer Security (TLS) session negotiation, when choosing a cipher during a handshake, normally the client's preference is used. This is potentially problematic as a malicious, dated, or poorly configured client could select the most insecure cipher offered by the server, even if it supports stronger ones.

If 'ssl.honor-cipher-order' is enabled, the 'ssl.cipher-list' setting will be treated as an ordered list of cipher values from most preferred to least, left to right.

Solution

Navigate to and open:

/opt/vmware/etc/lighttpd/lighttpd.conf

Add or reconfigure the following setting:

ssl.honor-cipher-order = 'enable'

Restart the service with the following command:

# vmon-cli --restart applmgmt

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256669r888529_rule, STIG-ID|VCLD-70-000025, Vuln-ID|V-256669

Plugin: Unix

Control ID: 44b169b6c8339550f449d454b32ee1761cef60d85266990177dc3e50a7d883fd