Title

NGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access. (Cat I impact)

Discussion

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000560, SRG-APP-000565

Check Content

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify "ssl_protocols" are set to TLSv1.2 or higher: nginx -c <path to nginx config> -qT | grep ssl_protocols ssl_protocols TLSv1.2 TLSv1.3; If "ssl_protocols" does not exist or does not specify TLSv1.2 or greater, this is a finding

Fix Text

Specify the allowed TLS protocols by adding the following line to the server {} block: ssl_protocols TLSv1.2 TLSv1.3; Restart NGINX with saved configuration: nginx -s reload

Additional Identifiers

Rule ID: SV-278381r1171895_rule

Vulnerability ID: V-278381

Group Title: SRG-APP-000014

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.