Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.

An XCCDF Rule

Description

<VulnDiscussion>Envoy can be configured to support TLS 1.0, 1.1, and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttpproxy configuration is commented out by default, and this configuration forces TLS 1.2. The block may also be set to "tls1.2" in certain upgrade scenarios, but the effect is the same. Uncommenting the block and enabling older protocols is possible; therefore, TLS 1.2 restriction must be verified and maintained. Satisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256740r889158_rule
Severity: Medium
References: CCI-000197 CCI-001453 CCI-002418 CCI-002420 CCI-002422
Updated: 8 months ago

Navigate to and open: 
 
/etc/vmware-rhttpproxy/config.xml 
 
Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows: 
 <protocols>tls1.2</protocols> 
 
Restart the service for changes to take effect. 
 
# vmon-cli --restart rhttpproxy

Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.

Description

Remediation - Manual Procedure