7.1 Ensure mod_ssl and/or mod_nss Is Installed

Information

Secure Sockets Layer (SSL) was developed by Netscape and turned into an open standard and was renamed Transport Layer Security (TLS) as part of the process. TLS is important for protecting communication and can provide authentication of the server and even the client. However, contrary to vendor claims, implementing SSL does NOT directly make your web server more secure! SSL is used to encrypt traffic and therefore does provide confidentiality of private information and users credentials. Keep in mind, however that just because you have encrypted the data in transit does not mean that the data provided by the client is secure while it is on the server. Also, SSL does not protect the web server, as attackers will easily target SSL-Enabled web servers, and the attack will be hidden in the encrypted channel.

The mod_ssl module is the standard, most used module that implements SSL/TLS for Apache. A newer module found on Red Hat systems can be a compliment or replacement for mod_ssl and provides the same functionality plus additional security services. The mod_nss is an Apache module implementation of the Network Security Services (NSS) software from Mozilla, which implements a wide range of cryptographic functions in addition to TLS.

Rationale:

It is best to plan for SSL/TLS implementation from the beginning of any new web server. As most web servers have some need for SSL/TLS due to:

Non-public information submitted that should be protected as it's transmitted to the web server.

Non-public information that is downloaded from the web server.

Users are going to be authenticated to some portion of the web server

There is a need to authenticate the web server to ensure users that they have reached the real web server and have not been phished or redirected to a bogus site.

Solution

Perform either of the following to implement the recommended state:

For Apache installations built from the source, use the option --with-ssl= to specify the openssl path, and the --enable-ssl configure option to add the SSL modules to the build. The --with-included-apr configure option may be necessary if there are conflicts with the platform version. If a new version of Openssl is needed it may be downloaded from http://www.openssl.org/ See the Apache documentation on building from source http://httpd.apache.org/docs/2.4/install.htmlfor details.

# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl

For installations using OS packages, it is typically just a matter of ensuring the mod_ssl package is installed. The mod_nss package might also be installed. The following yum commands are suitable for Red Hat Linux.

# yum install mod_ssl

Default Value:

SSL/TLS is not enabled by default.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 2feaa1b575a3375364f5bdf60c41dd0c24452796e4005193a11d29580a4910ff