UCF STIG Viewer Logo

OHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221528 OH12-1X-000320 SV-221528r879810_rule Medium
Description
Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2022-12-09

Details

Check Text ( C-23243r415263_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope.

3. If the directive is omitted, this is a finding.

4. Validate that the file specified exists. If the file does not exist, this is a finding.
Fix Text (F-23232r415264_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule ossl_module" directive at the OHS server configuration scope.

3. Set the "LoadModule ossl_module" directive to ""${PRODUCT_HOME}/modules/mod_ossl.so"", add the directive if it does not exist.