The Firefox SSLV2 parameter is configured to allow use of SSL 2.0.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15982 | DTBF010 | SV-16924r4_rule | ECSC-1 | Medium |
| Description |
|---|
| Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs. |
| STIG | Date |
|---|---|
| Mozilla Firefox | 2015-12-30 |
Details
| Check Text ( C-16609r4_chk ) |
|---|
| Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl2" and verify the value is set to "false". Criteria: If the parameter is set incorrectly, then this is a finding. If the value is not locked this is a finding. Note: Newer versions may not show "security.enable_ssl2" and may be replaced with “security.tls.version.min” instead. Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.tls.version.min" and set the value to “1” and locked. Criteria: If the value of "security.tls.version.min" is “1”, this is not a finding. If the value is locked, this is not a finding. |
| Fix Text (F-15983r5_fix) |
|---|
| Set the preference "security.enable_ssl2" is set to "false" and lock using the Mozilla.cfg file. For newer versions, set the preference "security.tls.version.min" to “1” and lock using the Mozilla.cfg file. |