An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-92589	AS24-W2-000890	SV-102677r1_rule		High

Description
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

Description

Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

STIG	Date
Apache Server 2.4 Windows Site Security Technical Implementation Guide	2019-12-19

Details

Check Text ( C-91893r1_chk )
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules. If the module "mod_ssl" is not enabled, this is a finding. Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following: SSLProtocol -ALL +TLSv1.2 If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.

Check Text ( C-91893r1_chk )

In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules.

If the module "mod_ssl" is not enabled, this is a finding.

Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following:

SSLProtocol -ALL +TLSv1.2

If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.

Fix Text (F-98831r1_fix)
Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file: SSLProtocol -ALL +TLSv1.2 Ensure the "SSLEngine" parameter is set to "ON" inside the "VirtualHost" directive.