An error occurred:

Apache Server 2.4 UNIX Site STIG Version Comparison

Apache Server 2.4 UNIX Site Security Technical Implementation Guide

Comparison

There are 4 differences between versions v2 r4 (July 26, 2023) (the "left" version) and v2 r6 (April 2, 2025) (the "right" version).

Check AS24-U2-000380 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The Apache web server must perform RFC 5280-compliant certification path validation.

Check Content

Review In a command line, run "httpd -M | grep -i ssl_module". If the "ssl_module" Apache server documentation and deployed configuration to determine whether the application server provides PKI functionality that validates certification paths in accordance with RFC 5280. If PKI is not enabled, being used, this is NA. If a finding. Determine the Apache server location of the "HTTPD_ROOT" directory and the "ssl.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" Review <'HTTPD_ROOT'>/conf.d/ssl.conf Verify "SSLVerifyClient" is using PKI, but it does set to "require": SSLVerifyClient require Verify "SSLVerifyDepth" is set to a number greater than "0": SSLVerifyDepth 1 If "SSLVerifyClient" is not perform this requirement, set to "require" or "SSLVerifyDepth" is not set to a number greater than "0", this is a finding.

Discussion

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Fix

Determine Configure the Apache server location of the "HTTPD_ROOT" directory and the "ssl.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" Edit <'HTTPD_ROOT'>/conf.d/ssl.conf Set "SSLVerifyClient" to validate certificates in accordance with RFC 5280. "require". Set "SSLVerifyDepth" to "1". SSLVerifyDepth 1 For more information: https://httpd.apache.org/docs/current/mod/ssl_module.html