VMware vSphere 6.7 RhttpProxy STIG Version Comparison
VMware vSphere 6.7 RhttpProxy Security Technical Implementation Guide
Comparison
There are 1 differences between versions v1 r1 (March 9, 2021) (the "left" version) and v1 r2 (Feb. 8, 2022) (the "right" version).
Check VCRP-67-000004 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
The rhttpproxy must use cryptography to protect the integrity of remote sessions.
Check Content
At the command prompt, execute the following command: # xmllint --xpath '/config/vmacore/ssl/protocols' /etc/vmware-rhttpproxy/config.xml Expected result: <protocols>tls1.2</protocols> If result: <protocols>tls1.2</protocols> OR XPath there set is empty If no output, this is NOT a finding. If the output does not match the expected result, this is a finding.
Discussion
The rhttpproxy can be configured to support TLS 1.0, 1.1 and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttproxy configuration is commented out by default, and this configuration forces TLS 1.2. The block may also be set to "tls1.2" in certain upgrade scenarios, but the effect is the same.
Fix
Navigate to and open /etc/vmware-rhttpproxy/config.xml. Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows: <protocols>tls1.2</protocols> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy