Secured connectors must be configured to use strong encryption ciphers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222927	TCAT-AS-000020	SV-222927r615938_rule		Medium

Description
The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE — with BIO and NIO connectors, or OpenSSL-based implementation — with APR connector. TLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

Description

The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE — with BIO and NIO connectors, or OpenSSL-based implementation — with APR connector. TLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-12-27

Details

Check Text ( C-24599r426225_chk )
From the Tomcat server console, run the following command: sudo grep -i ciphers $CATALINA_BASE/conf/server.xml. Examine each element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. If insecure ciphers are configured for use, this is a finding.

Check Text ( C-24599r426225_chk )

From the Tomcat server console, run the following command:

sudo grep -i ciphers $CATALINA_BASE/conf/server.xml.

Examine each element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure.

For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

If insecure ciphers are configured for use, this is a finding.

Fix Text (F-24588r426226_fix)
As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the element. Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting. Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon