Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-13694 | WG342 | SV-14298r3_rule | ECCT-1 ECCT-2 | Medium |
Description |
---|
TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with DoD PKI certificates are necessary when information being transferred is not intended to be accessed by all parties on the network. To the extent that this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled; the use of SSL disabled Configuration of required cryptographic modules as specified by NIST CVMP |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-28831r1_chk ) |
---|
Ask the SA or the web administrator to demonstrate how the web server: Is configured to support TLS protocol version 1.0 with 128 bit encryption that is FIPS compliant and operating in FIPS mode. Is configured to prevent the use of the Secure Socket Layer (SSL) protocol on the server. (Verify that TLS is enabled and that SSL is disabled.) Is configured for Port, Protocols, and Services Management (PPSM). If the SA or the web master cannot demonstrate that TLS is enabled and is FIPS compliant, this is a finding. |
Fix Text (F-13125r4_fix) |
---|
A public web server must use TLS if it contains restricted data that requires authentication and encryption. Obtain a server certificate from a .mil Certificate Authority or obtain an approved DoD ECA. Configure the web server to support TLS protocol version 1.0 with 128 bit encryption, which is FIPS compliant and operating in FIPS mode. |