Secured connectors must be configured to use strong encryption ciphers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222927 | TCAT-AS-000020 | SV-222927r960759_rule | CCI-000068 | medium |
| Description | ||||
| The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE — with BIO and NIO connectors, or OpenSSL-based implementation — with APR connector. TLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-222927r960759_chk)
From the Tomcat server console, run the following command:
sudo grep -i ciphers $CATALINA_BASE/conf/server.xml.
Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure.
For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.
If insecure ciphers are configured for use, this is a finding.
Fix Text (F-24588r426226_fix)
As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element.
Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting.
Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon