Skip to content

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

An XCCDF Rule

Description

<VulnDiscussion>Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Web Administrator</Responsibility><IAControls></IAControls>

ID
SV-33019r1_rule
Severity
Medium
Updated



Remediation - Manual Procedure

Edit the httpd.conf file and set the value of SSLVerifyClient to "require".