Details

The Tomcat element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector.

The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE – with BIO and NIO connectors, or OpenSSL-based implementation – with APR connector.

TLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the element.

Add the SSLEnabledProtocols=’TLSv1.2′ setting to the connector or modify the existing setting.

Set SSLEnabledProtocols=’TLSv1.2′. Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-17(2)
• CAT|II
• CCI|CCI-000068
• Rule-ID|SV-222927r615938_rule
• STIG-ID|TCAT-AS-000020
• STIG-Legacy|SV-111373
• STIG-Legacy|V-102429
• Vuln-ID|V-222927

Source

• Tenable.com/audits