Rule ID
SV-278381r1171895_rule
Version
V1R1
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000560, SRG-APP-000565
Determine the path to NGINX config file(s):
nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Verify "ssl_protocols" are set to TLSv1.2 or higher:
nginx -c <path to nginx config> -qT | grep ssl_protocols
ssl_protocols TLSv1.2 TLSv1.3;
If "ssl_protocols" does not exist or does not specify TLSv1.2 or greater, this is a findingSpecify the allowed TLS protocols by adding the following line to the server {} block:
ssl_protocols TLSv1.2 TLSv1.3;
Restart NGINX with saved configuration:
nginx -s reload