Apache Tomcat Application Server 9 STIG Version Comparison

There are 8 differences between versions v3 r1 (July 24, 2024) (the "left" version) and v3 r3 (Oct. 1, 2025) (the "right" version).

Check TCAT-AS-000020 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

Secured connectors must be configured to use strong encryption ciphers.

Check Content

From the Tomcat server console, run the following command: sudo grep -i ciphers $CATALINA_BASE/conf/server.xml. Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. If insecure ciphers are configured for use, this is a finding.

Discussion

The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE — with BIO and NIO connectors, or OpenSSL-based implementation — with APR connector. TLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

Fix

As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element. Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting. Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon