STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to VMware NSX-T Manager NDM Security Technical Implementation Guide

V-251798

CAT II (Medium)

The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2.

Rule ID

SV-251798r879588_rule

STIG

VMware NSX-T Manager NDM Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000382

Discussion

TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported.

Check Content

Viewing TLS protocol enablement must be done via the API.

Execute the following API call using curl or another REST API client:

GET https://<nsx-mgr>/api/v1/cluster/api-service

Expected result:
    "protocol_versions": [
        {
            "name": "TLSv1.1",
            "enabled": false
        },
        {
            "name": "TLSv1.2",
            "enabled": true
        }
    ],

If TLS 1.1 is enabled, this is a finding.

Fix Text

Capture the output from the check GET command and update the TLS 1.1 protocol to false.

Execute the following API call using curl or another REST API client:

PUT https://<nsx-mgr>/api/v1/cluster/api-service

Example request body:

{
  "global_api_concurrency_limit": 199,
  "client_api_rate_limit": 100,
  "client_api_concurrency_limit": 40,
  "connection_timeout": 30,
  "redirect_host": "",
  "cipher_suites": [
    {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"},
    {"enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"},
    {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
    {"enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"}
    {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}",
    {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"},
    {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
    {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA"},
    {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
    {"enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"},
    {"enabled": false, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
    {"enabled": false, "name": "TLS_RSA_WITH_AES_128_CBC_SHA"}
  ],
  "protocol_versions": [
    {"enabled": false, "name": "TLSv1.1"},
    {"enabled": true, "name": "TLSv1.2"}
  ]
}

Note: Changes are applied to all nodes in the cluster. The API service on each node will restart after it is updated using this API. There may be a delay of up to a minute or so between the time this API call completes and when the new configuration goes into effect.