Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

From APACHE SITE 2.2 for Unix Security Technical Implementation Guide

Part of WG140

Associated with IA controls: IATS-1, IATS-2

SV-33019r1_rule Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

Vulnerability discussion

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Check content

To view the SSLVerifyClient value enter the following command: grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf. If the value of SSLVerifyClient is not set to “require”, this is a finding.

Fix text

Edit the httpd.conf file and set the value of SSLVerifyClient to "require".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer