STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

DISA Rule

SV-33106r1_rule

Vulnerability Number

V-6531

Group Title

WG140

Rule Version

WG140 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Set the SSLVerifyClient directive to "require".

Check Contents

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: SSLVerifyClient

If SSLVerifyClient is not set to “require” this is a finding as the client is not required to present a valid certificate.

Vulnerability Number

V-6531

Documentable

False

Rule Version

WG140 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: SSLVerifyClient

If SSLVerifyClient is not set to “require” this is a finding as the client is not required to present a valid certificate.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

161

Comments