Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-254087	SRG-APP-000014	SPEC-IN-000030	SV-254087r845265_rule	2022-08-31	1

Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000156, SRG-APP-000179, SRG-APP-000442, SRG-APP-000555, SRG-APP-000560, SRG-APP-000565, SRG-APP-000605, SRG-APP-000635, SRG-APP-000645, SRG-APP-000219

Description

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000156, SRG-APP-000179, SRG-APP-000442, SRG-APP-000555, SRG-APP-000560, SRG-APP-000565, SRG-APP-000605, SRG-APP-000635, SRG-APP-000645, SRG-APP-000219

ℹ️ Check
1. Consult the System Administrator if needed to determine the location of the Apache Tomcat server.xml file and the network port that was specified during installation for use with Innoslate. The default is 8443; other AO-approved ports may be used. 2. Open the server.xml file with a text editor, and locate the <Connector/> element. The following is an example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1.2" keystoreFile="$keystorepath" keystorePass="123456" keyAlias="tomcatssl" / If "port" is not set to 8443, or other AO-approved port, this is a finding. If "protocol" is not set to "org.apache.coyote.http11.Http11NioProtocol", this is a finding. If "SSLEnabled" is not set to "true", this is a finding. If "scheme" is not set to "https", this is a finding. If "secure" is not set to "true", this is a finding. If "SSLProtocol"or "SSLEnabledProtocols" is not set to "TLSv1.2", this is a finding. The name of this flag varies with Tomcat versions.

ℹ️ Check

1. Consult the System Administrator if needed to determine the location of the Apache Tomcat server.xml file and the network port that was specified during installation for use with Innoslate. The default is 8443; other AO-approved ports may be used. 2. Open the server.xml file with a text editor, and locate the <Connector/> element. The following is an example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1.2" keystoreFile="$keystorepath" keystorePass="123456" keyAlias="tomcatssl" / If "port" is not set to 8443, or other AO-approved port, this is a finding. If "protocol" is not set to "org.apache.coyote.http11.Http11NioProtocol", this is a finding. If "SSLEnabled" is not set to "true", this is a finding. If "scheme" is not set to "https", this is a finding. If "secure" is not set to "true", this is a finding. If "SSLProtocol"or "SSLEnabledProtocols" is not set to "TLSv1.2", this is a finding. The name of this flag varies with Tomcat versions.

✔️ Fix
1. Open the server.xml file inside the conf folder of the tomcat installation (IE "C:\Innoslate4\apache-tomcat\conf" or "$CATALINA_BASE/conf/server.xml"). Add a connector tag for HTTPS scheme with PORT 8443 (or other AO-approved port) using the following example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="C:\Innoslate4\apache-tomcat-8.5.30\conf\keystore.jks" keystorePass="123456" keyAlias="tomcatssl" / 2. Set "port" to 8443, or other AO-approved port. Set "protocol" to "org.apache.coyote.http11.Http11NioProtocol". Set "SSLEnabled" to "true". Set "scheme" to "https". Set "secure" to "true". Set "SSLProtocol" or "SSLEnabledProtocols" to "TLSv1.2". The name of this flag varies with Tomcat versions. Set "keystoreFile" to the path of the keystore utilized by the system, and set the associated password with "keystorePass". 3. Save the server.xml file.

✔️ Fix

1. Open the server.xml file inside the conf folder of the tomcat installation (IE "C:\Innoslate4\apache-tomcat\conf" or "$CATALINA_BASE/conf/server.xml"). Add a connector tag for HTTPS scheme with PORT 8443 (or other AO-approved port) using the following example: Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="C:\Innoslate4\apache-tomcat-8.5.30\conf\keystore.jks" keystorePass="123456" keyAlias="tomcatssl" / 2. Set "port" to 8443, or other AO-approved port. Set "protocol" to "org.apache.coyote.http11.Http11NioProtocol". Set "SSLEnabled" to "true". Set "scheme" to "https". Set "secure" to "true". Set "SSLProtocol" or "SSLEnabledProtocols" to "TLSv1.2". The name of this flag varies with Tomcat versions. Set "keystoreFile" to the path of the keystore utilized by the system, and set the associated password with "keystorePass". 3. Save the server.xml file.