The Apache web server must set an inactive timeout for completing the TLS handshake

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-92435	AS24-W1-000650	SV-102523r2_rule		Medium

Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. Timeouts for completing the TLS handshake, receiving the request headers and/or the request body from the client. If the client fails to complete each of these stages within the configured time, a 408 REQUEST TIME OUT error is sent. For SSL virtual hosts, the handshake timeout values is the time needed to do the initial SSL handshake. If the user's browser is configured to query certificate revocation lists and the CRL server is not reachable, the initial SSL handshake may take a significant time until the browser gives up waiting for the CRL. Therefore the handshake timeout should take this possible overhead into consideration for SSL virtual hosts (if necessary). The body timeout values include the time needed for SSL renegotiation (if necessary). Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

Description

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. Timeouts for completing the TLS handshake, receiving the request headers and/or the request body from the client. If the client fails to complete each of these stages within the configured time, a 408 REQUEST TIME OUT error is sent. For SSL virtual hosts, the handshake timeout values is the time needed to do the initial SSL handshake. If the user's browser is configured to query certificate revocation lists and the CRL server is not reachable, the initial SSL handshake may take a significant time until the browser gives up waiting for the CRL. Therefore the handshake timeout should take this possible overhead into consideration for SSL virtual hosts (if necessary). The body timeout values include the time needed for SSL renegotiation (if necessary). Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

STIG	Date
Apache Server 2.4 Windows Server Security Technical Implementation Guide	2019-12-19

Details

Check Text ( C-91735r1_chk )
Review the <'INSTALL PATH'>\conf\httpd.conf file. Verify the "mod_reqtimeout" is loaded. If it does not exist, this is a finding. If the "mod_reqtimeout" module is loaded and the "RequestReadTimeout" directive is not configured, this is a finding.

Fix Text (F-98675r1_fix)
Edit the <'INSTALL PATH'>\conf\httpd.conf file and load the "mod_reqtimeout" module. Set the "RequestReadTimeout" directive. Restart the Apache service.