The vCenter VAMI service must enable honoring the SSL cipher order.

An XCCDF Rule

Description

<VulnDiscussion>During a Transport Layer Security (TLS) session negotiation, when choosing a cipher during a handshake, normally the client's preference is used. This is potentially problematic as a malicious, dated, or poorly configured client could select the most insecure cipher offered by the server, even if it supports stronger ones. If "ssl.honor-cipher-order" is enabled, the "ssl.cipher-list" setting will be treated as an ordered list of cipher values from most preferred to least, left to right.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259154r935366_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

Navigate to and open:

/opt/vmware/etc/lighttpd/lighttpd.conf

Add or reconfigure the following setting:
ssl.honor-cipher-order = "enable"

Restart the service with the following command:

# vmon-cli --restart applmgmt

The vCenter VAMI service must enable honoring the SSL cipher order.

Description

Remediation - Manual Procedure