Rule ID
SV-279094r1171587_rule
Version
V1R1
CCIs
CCI-002418, CCI-000068, CCI-000803
Export ciphers have weak encryption algorithms that were originally designed to comply with outdated export regulations. These ciphers provide minimal security and can be easily broken by attackers, leading to potential data breaches and unauthorized access. By removing all export ciphers from the supported cipher suites, the ColdFusion server ensures that only strong, secure encryption algorithms are used for data transmission. This practice helps protect sensitive information from being intercepted and compromised, thereby enhancing the overall security of the server and the applications it hosts. Regularly reviewing and updating the cipher suites to exclude weak ciphers is essential for maintaining a secure server environment. Satisfies: SRG-APP-000439-AS-000274, SRG-APP-000014-AS-000009, SRG-APP-000179-AS-000129, SRG-APP-000439-AS-000155
Cipher Validation in server.xml: 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Open the server.xml file in a text editor. 3. Identify all <Connector> elements that are actively handling traffic (i.e., not solely configured to redirect to a secure port). 4. Verify each <Connector> element includes either a ciphers attribute or an embedded <SSLHostConfig> element with a ciphers setting. If the ciphers setting is not present, this is a finding. 5. If the ciphers are present, compare them to the list of approved ciphers found in: NIST SP 800-52 Revision 2, Section 3.3.1.1. If any unapproved or insecure ciphers are configured, this is a finding. 6. Verify the protocols attribute is configured and using only approved secure protocols (e.g., TLS 1.2 or 1.3). If the protocols attribute is not configured to use approved secure protocols (e.g., TLS 1.2 or 1.3), this is a finding.
Secure Cipher and Protocol Configuration in server.xml:
1. For each ColdFusion instance, navigate to:
<ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml.
2. Before making changes, back up the file to prevent accidental misconfiguration.
3. Open server.xml in a text editor with administrative privileges.
4. Locate each <Connector> element that handles secure traffic (i.e., has SSLEnabled="true" and is not just a redirect).
5. If the <Connector> does not contain a ciphers attribute or an <SSLHostConfig> block with ciphers, add one.
6. Specify only ciphers approved by NIST SP 800-52 Revision 2, Section 3.3.1.1.
Example Configuration:
<Connector port="8443"
maxThreads="150"
SSLEnabled="true"
scheme="https"
SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.2,TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="<password>"
type="RSA"/>
</SSLHostConfig>
</Connector>
Note: Replace the example cipher list with the exact approved list relevant to the system and policy.
7. Ensure only secure protocols are used (TLS 1.2 or 1.3).
8. Remove or disable any deprecated protocols such as SSLv3, TLS 1.0, or TLS 1.1.
9. Save and close the file.
10. Restart ColdFusion to apply changes.