Rule ID
SV-279178r1170664_rule
Version
V1R1
CCIs
NIST SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks, which exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol, thus are in scope for this requirement. NIST SP 800-52 sets TLS version 1.1 as a minimum version, thus all versions of SSL are not allowed (including for client negotiation) either on DOD-only or on public-facing servers.
1. In the Edge SWG Web UI, navigate to Configuration and SSL. 2. Select "SSL Proxy Settings". 3. Scroll down to "SSL Version Controls". If the Minimum Client Control and Server Control are not set to TLS 1.2, this is a finding. If the Maximum Client Control and Server Control are not set to TLS 1.3, this is a finding.
1. In the Edge SWG Web UI, navigate to Configuration and SSL. 2. Select "SSL Proxy Settings". 3. Scroll down to "SSL Version Controls". 4. Under Client Connection, set the minimum version to "TLS 1.2" and maximum version to "TLS 1.3". 5. Under Server Connection, set the minimum version to "TLS 1.2" and maximum version to "TLS 1.3". 6. Click "Save and Apply".