{"description": "Disable old SSL and TLS version and enable the latest TLS encryption by setting\nthe following in <tt>/etc/httpd/conf.modules.d/ssl.conf</tt>:\n<pre>SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1</pre>\nMake sure to also set <tt>SSLEngine</tt> to <tt>on</tt> in\n<tt>/etc/httpd/conf.modules.d/ssl.conf</tt> like the following:\n<pre>SSLEngine on</pre>", "rationale": "Transport Layer Security (TLS) encryption is a required security setting for a\nprivate web server. Encryption of private information is essential to ensuring\ndata confidentiality. If private information is not encrypted, it can be\nintercepted and easily read by an unauthorized party. A web server must\nuse a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions\nmust be disabled.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "To verify that TLS is configured properly in\n<tt>/etc/httpd/conf.modules.d/ssl.conf</tt>, run the following command:\n<pre>$ grep -i \"sslengine\\|sslprotocol\" /etc/httpd/conf.d/ssl.conf</pre>\nThe output should return the following:\n<pre>\nSSLEngine on\nSSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Transport Layer Security (TLS) Encryption", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml", "template": null}