The NSX Manager must only enable TLS 1.2 or greater.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-265315 | SRG-APP-000156-NDM-000250 | NMGR-4X-000038 | SV-265315r994168_rule | 2024-12-13 | 1 |
| Description |
|---|
| A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Configuration of TLS on the NSX also ensures that passwords are not transmitted in the clear. TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 or greater must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Satisfies: SRG-APP-000156-NDM-000250, SRG-APP-000172-NDM-000259 |
| ℹ️ Check |
|---|
| Viewing TLS protocol enablement must be done via the API. Execute the following API call using curl or another REST API client: GET https://<nsx-mgr>/api/v1/cluster/api-service Example result: "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ] If TLS 1.1 is enabled, this is a finding. |
| ✔️ Fix |
|---|
| Capture the output from the check GET command and update the TLS 1.1 protocol to false. Run the following API call using curl or another REST API client: PUT https://<nsx-mgr>/api/v1/cluster/api-service Example request body: { "session_timeout": 1800, "connection_timeout": 30, "protocol_versions": [ { "name": "TLSv1.1", "enabled": false }, { "name": "TLSv1.2", "enabled": true }, { "name": "TLSv1.3", "enabled": true } ], "cipher_suites": [ { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "enabled": true }, { "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_CBC_SHA256", "enabled": true }, { "name": "TLS_RSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_AES_128_GCM_SHA256", "enabled": true }, { "name": "TLS_AES_256_GCM_SHA384", "enabled": true }, { "name": "TLS_CHACHA20_POLY1305_SHA256", "enabled": true } ], "redirect_host": "", "client_api_rate_limit": 100, "global_api_concurrency_limit": 199, "client_api_concurrency_limit": 40, "basic_authentication_enabled": true, "cookie_based_authentication_enabled": true, "resource_type": "ApiServiceConfig", "id": "reverse_proxy_config", "display_name": "reverse_proxy_config", "_create_time": 1703175890703, "_create_user": "system", "_last_modified_time": 1703175890703, "_last_modified_user": "system", "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect. |