The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-251798 | SRG-APP-000142-NDM-000245 | TNDM-3X-000101 | SV-251798r879588_rule | 2023-06-22 | 1 |
Description
TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported.
ℹ️ Check
Viewing TLS protocol enablement must be done via the API.
Execute the following API call using curl or another REST API client:
GET https://<nsx-mgr>/api/v1/cluster/api-service
Expected result:
"protocol_versions": [
{
"name": "TLSv1.1",
"enabled": false
},
{
"name": "TLSv1.2",
"enabled": true
}
],
If TLS 1.1 is enabled, this is a finding.
✔️ Fix
Capture the output from the check GET command and update the TLS 1.1 protocol to false.
Execute the following API call using curl or another REST API client:
PUT https://<nsx-mgr>/api/v1/cluster/api-service
Example request body:
{
"global_api_concurrency_limit": 199,
"client_api_rate_limit": 100,
"client_api_concurrency_limit": 40,
"connection_timeout": 30,
"redirect_host": "",
"cipher_suites": [
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"}
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}",
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA"},
{"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
{"enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"},
{"enabled": false, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
{"enabled": false, "name": "TLS_RSA_WITH_AES_128_CBC_SHA"}
],
"protocol_versions": [
{"enabled": false, "name": "TLSv1.1"},
{"enabled": true, "name": "TLSv1.2"}
]
}
Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.