The private web server must use an approved DoD certificate validation process.

From APACHE SERVER 2.2 for Unix Security Technical Implementation Guide

Part of WG145

SV-32954r2_rule The private web server must use an approved DoD certificate validation process.

Vulnerability discussion

Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.

Check content

The reviewer should query the ISSO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to utilize an approved DoD certificate validation process. The web administrator should be questioned to determine if a validation process is being utilized on the web server. To validate this, the reviewer can ask the web administrator to describe the validation process being used. They should be able to identify either the use of certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP). If the production web server is accessible, the SA or the web administrator should be able to demonstrate the validation of good certificates and the rejection of bad certificates. If CRLs are being used, the SA should be able to identify how often the CRL is updated and the location from which the CRL is downloaded. If the web administrator cannot identify the type of validation process being used, this is a finding.

Fix text

Configure DoD Private Web Servers to conduct certificate revocation checking utilizing certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer