An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

An XCCDF Rule

Description

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

ID: SV-214396r395466_rule
Version: AS24-W2-000890
Severity: High
References: CCI-000068 CCI-000197 CCI-000213 CCI-000803 CCI-001166 CCI-001453 CCI-002418 CCI-002420 CCI-002422 CCI-002476
Updated: about 2 months ago

Remediation Templates

Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file:

SSLProtocol -ALL +TLSv1.2

Ensure the "SSLEngine" parameter is set to "ON" inside the "VirtualHost" directive.

An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

Description

Remediation Templates

A Manual Procedure