Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
APACHE 2.2 Site for Windows Security Technical Implementation Guide
WG340
A private web server must utilize an approved TLS version.
A private web server must utilize an approved TLS version.
An XCCDF Rule
Details
Profiles
Prose
A private web server must utilize an approved TLS version.
Medium Severity
<VulnDiscussion>Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. The SSLProtocol directive enables or disables SSL/TLS protocols. “SSLProtocol ALL” is a shortcut for enabling SSLv3 and TLSv1 but does not disable lower versions of SSL. Since some Apache versions enable SSL by default, SSL needs to be explicitly disabled, while also enabling TLS. To disable specific SSL Protocols, the –SSLv3 –SSLv2 switches are used with the SSLProtocol directive. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Web Administrator</Responsibility><IAControls></IAControls>