Detections
Analytics
AS24-W2-000890 - An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version - SSLProtocol
Information
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.NIST SP 800-52 defines the approved TLS versions for government applications.
Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113
Solution
Ensure the 'SSLProtocol' is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file:SSLProtocol -ALL +TLSv1.2
Ensure the 'SSLEngine' parameter is set to 'ON' inside the 'VirtualHost' directive.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y25M04_STIG.zip
Item Details
Audit Name: DISA Apache Server 2.4 Windows Site STIG v2r2
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-3, 800-53|AC-17(2), 800-53|IA-5(1)(c), 800-53|IA-7, 800-53|SC-8, 800-53|SC-8(2), 800-53|SC-18(1), 800-53|SC-28(1), CAT|I, CCI|CCI-000068, CCI|CCI-000197, CCI|CCI-000213, CCI|CCI-000803, CCI|CCI-001166, CCI|CCI-001453, CCI|CCI-002418, CCI|CCI-002420, CCI|CCI-002422, CCI|CCI-002476, Rule-ID|SV-214396r960759_rule, STIG-ID|AS24-W2-000890, STIG-Legacy|SV-102677, STIG-Legacy|V-92589, Vuln-ID|V-214396
Plugin: Windows
Control ID: 37e9e318d2ce831fac951784e252837870eb7fad8510387c8e47709f9455fcc9