Detections
Analytics
WG340 A22 - A private web server must utilize an approved TLS version - SSLProtocol
Information
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Solution
Edit the httpd.conf file and set the SSLProtocol to 'ALL -SSLv2 -SSLv3' and the SSLEngine to On. For Apache 2.2.22 and older, set SSLProtocol to 'TLSv1'.See Also
https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip
Item Details
Audit Name: DISA STIG Apache Site 2.2 Unix v1r11
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13, CAT|II, Rule-ID|SV-33029r2_rule, STIG-ID|WG340_A22, Vuln-ID|V-2262
Plugin: Unix
Control ID: d384b0e1760d18955fcc5a0be373d9830aabf81cb907df18ba31c38e4c8f9e6e