Detections
Analytics
OH12-1X-000323 - OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
Information
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.NIST SP 800-52 defines the approved TLS versions for government applications.
Solution
1. Open every .conf file (e.g., ssl.conf) included in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor that requires an SSL-enabled '<VirtualHost>' directive.2. Search for the 'SSLCipherSuite' directive at the OHS server, virtual host, and/or directory configuration scopes.
3. Set the 'SSLCipherSuite' directive to 'SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,RSA_WITH_AES_256_CBC_SHA256,RSA_WITH_AES_128_GCM_SHA256,RSA_WITH_AES_256_GCM_SHA384,ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE_ECDSA_WITH_AES_256_CBC_SHA,ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,ECDHE_RSA_WITH_AES_128_CBC_SHA,ECDHE_RSA_WITH_AES_256_CBC_SHA', add the directive if it does not exist.
Note: Ciphers may be removed from the list above per the organization's requirements or if vulnerabilities are found with a specific cipher.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_HTTP_Server_12-1-3_V2R3_STIG.zip
Item Details
Audit Name: DISA STIG Oracle HTTP Server 12.1.3 v2r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-8, CAT|II, CCI|CCI-002418, Rule-ID|SV-221531r961632_rule, STIG-ID|OH12-1X-000323, STIG-Legacy|SV-79053, STIG-Legacy|V-64563, Vuln-ID|V-221531
Plugin: Unix
Control ID: 2b13d837436b77927539134a5e26b527b68527de0fbed4e6359ec6a57eb7fc4d