Details

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.

Solution

Edit the httpd.conf file and set the SSLProtocol to ‘ALL -SSLv2 -SSLv3’ and the SSLEngine to On. For Apache 2.2.22 and older, set SSLProtocol to ‘TLSv1’.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-13
• CAT|II
• Rule-ID|SV-33029r2_rule
• STIG-ID|WG340_A22
• Vuln-ID|V-2262

Source

• Tenable.com/audits