Rule ID
SV-256318r919041_rule
Version
V1R3
CCIs
CCI-000068, CCI-000382, CCI-001184, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002450
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. Satisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP-000157, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000625
At the command prompt on the vCenter Server Appliance, run the following command: # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.
At the command prompt on the vCenter Server Appliance, run the following commands: # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2 vCenter services will be restarted as part of the reconfiguration. The operating system will not be restarted. The "--no-restart" flag can be added to restart services at a later time. Changes will not take effect until all services are restarted or the appliance is rebooted. Note: This change should be performed on vCenter prior to ESXi.