UCF STIG Viewer Logo

An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.


Overview

Finding ID Version Rule ID IA Controls Severity
V-214396 AS24-W2-000890 SV-214396r395466_rule High
Description
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000015-WSR-000014, SRG-APP-000033-WSR-000169, SRG-APP-000172-WSR-000104, SRG-APP-000179-WSR-000110, SRG-APP-000179-WSR-000111, SRG-APP-000206-WSR-000128, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000441-WSR-000181, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113
STIG Date
Apache Server 2.4 Windows Site Security Technical Implementation Guide 2021-09-27

Details

Check Text ( C-15607r277929_chk )
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules.

If the module "mod_ssl" is not enabled, this is a finding.

Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following:

SSLProtocol -ALL +TLSv1.2

If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.
Fix Text (F-15605r277930_fix)
Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file:

SSLProtocol -ALL +TLSv1.2

Ensure the "SSLEngine" parameter is set to "ON" inside the "VirtualHost" directive.