Detections
Analytics
VCRP-70-000004 - Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.
Information
Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttpproxy configuration is commented out by default, and this configuration forces TLS 1.2.The block may also be set to 'tls1.2' in certain upgrade scenarios, but the effect is the same. Uncommenting the block and enabling older protocols is possible; therefore, TLS 1.2 restriction must be verified and maintained.
Satisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182
Solution
Navigate to and open:/etc/vmware-rhttpproxy/config.xml
Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows:
<protocols>tls1.2</protocols>
Restart the service for changes to take effect.
# vmon-cli --restart rhttpproxy
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 7.0 RhttpProxy v1r1
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-5(1)(c), 800-53|SC-8, 800-53|SC-8(2), CAT|II, CCI|CCI-000197, CCI|CCI-001453, CCI|CCI-002418, CCI|CCI-002420, CCI|CCI-002422, Rule-ID|SV-256740r889158_rule, STIG-ID|VCRP-70-000004, Vuln-ID|V-256740
Plugin: Unix
Control ID: e2098d853517e4a55651f01de36a7f3c76b8c81d5c985ca4e6ad4d6552454bd3