WG340 A22 - A private web server must utilize an approved TLS version - SSLProtocol
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.
Edit the httpd.conf file and set the SSLProtocol to 'ALL -SSLv2 -SSLv3' and the SSLEngine to On. For Apache 2.2.22 and older, set SSLProtocol to 'TLSv1'.