Secured connectors must be configured to use strong encryption ciphers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222927 | TCAT-AS-000020 | SV-222927r960759_rule | Medium |
| Description |
| STIG | Date |
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 |
Details
| Check Text (C-24599r426225_chk) |
| From the Tomcat server console, run the following command: sudo grep -i ciphers $CATALINA_BASE/conf/server.xml. Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. If insecure ciphers are configured for use, this is a finding. |
| Fix Text (F-24588r426226_fix) |
| As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element. Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting. Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon |