Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Private web servers must require certificates issued from a DoD-authorized Certificate Authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6531 | WG140 W22 | SV-33106r1_rule | Medium |
| Description |
|---|
| Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. |
| STIG | Date |
|---|---|
| APACHE 2.2 Site for Windows Security Implementation Guide | 2017-10-02 |
Details
| Check Text ( C-33767r1_chk ) |
|---|
| Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: SSLVerifyClient If SSLVerifyClient is not set to “require” this is a finding as the client is not required to present a valid certificate. |
| Fix Text (F-29404r1_fix) |
|---|
| Set the SSLVerifyClient directive to "require". |