The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. Satisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP-000157, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000625

At the command prompt on the vCenter Server Appliance, run the following command: # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.

At the command prompt on the vCenter Server Appliance, run the following commands: # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup # /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2 vCenter services will be restarted as part of the reconfiguration. The operating system will not be restarted. The "--no-restart" flag can be added to restart services at a later time. Changes will not take effect until all services are restarted or the appliance is rebooted. Note: This change should be performed on vCenter prior to ESXi.