A private web server will utilize TLS v 1.0 or greater.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2262	WG340	SV-2262r6_rule	ECCT-1 ECCT-2	Medium

Description
Transport Layer Security (TLS) encryption is a required security setting for a private web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not been activated or is not being used. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network. To the extent that this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled, the use of SSL disabled Configuration of required cryptographic modules as specified by NIST

Description

Transport Layer Security (TLS) encryption is a required security setting for a private web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not been activated or is not being used. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network. To the extent that this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled, the use of SSL disabled Configuration of required cryptographic modules as specified by NIST

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-28794r1_chk )
Ask the SA or the web administrator to demonstrate how the web server: Is configured to support TLS protocol version 1.0 with 128 bit encryption, which is FIPS compliant and operating in FIPS mode. Is configured to prevent the use of the Secure Socket Layer (SSL) on the server. (Verify that TLS is enabled and that SSL is disabled.) Is configured for Port, Protocols, and Services Management (PPSM). If the SA or the web master cannot demonstrate that TLS is enabled and is FIPS compliant, this is a finding.

Check Text ( C-28794r1_chk )

Ask the SA or the web administrator to demonstrate how the web server:

Is configured to support TLS protocol version 1.0 with 128 bit encryption, which is FIPS compliant and operating in FIPS mode.

Is configured to prevent the use of the Secure Socket Layer (SSL) on the server. (Verify that TLS is enabled and that SSL is disabled.)

Is configured for Port, Protocols, and Services Management (PPSM).

If the SA or the web master cannot demonstrate that TLS is enabled and is FIPS compliant, this is a finding.

Fix Text (F-25819r1_fix)
A private web server must use TLS. Obtain a server certificate from a DoD Certification Authority. Configure the web server to support TLS protocol version 1.0 with 128 bit encryption, which is FIPS compliant and operating in FIPS mode.