6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS

Information

The sslProtocol setting determines which protocol Tomcat will use to protect traffic. It is recommended that sslProtocol attribute be set to TLS.

Rationale:

The TLS protocol does not contain weaknesses that affect other secure transport protocols, such as SSLv1 or SSLv2. Therefore, TLS is leveraged to protect the confidentiality and integrity of data while in transit.

Solution

In server.xml, set the sslProtocol attribute to TLS for Connectors having SSLEnabled set to true.

<Connector
...
sslProtocol='TLS'
...
/>

In Tomcat 8.5.x using JSSE, set it to TLS or alternatively remove it.

<Connector
...
<SSLHostConfig
...
sslProtocol='TLS'
...
/>

References:

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, 800-53|SC-12, CSCv7|14.4, CSCv7|18.5

Plugin: Unix

Control ID: f1ec6aefd229c3f75389e257099c5d34eab6d9223b3e0b20b73218adda16a084