Greetings, We are using Apache Web Server on z/OS system and are seeing the Nessus reports on Port 443 as it cannot detect TLS being enabled, though we do have the statements.
Our intention is to serve some non-secured pages but main provide our users with controlled access to some more sensitive pages. When Listen 443 is uncommented in the config file, the server fails the NESSUS scan. I can only pass the scan by commenting out Listen 443. httpd.conf: #Listen 12.34.56.78:443 Listen 443 Listen 80 <VirtualHost _default_:443> ServerName xxx.xxxx.xxxxx.xxx SSLProtocolEnable TLSv1.2 SSLProtocolDisable TLSv1.1 SSLProtocolDisable SSLv2 SSLProtocolDisable SSLv3 SSLEnable KeyFile /saf IHSASRV_KEYRING We are seeing the following Nessus scan results: High Severity Vulnerability TLS Version 1.2 Protocol Detection Synopsis : The remote service encrypts communications but does not support TLS1.2. Description : This script detects whether TLS version 1.2 is supported by the remote service for encrypting communications. Solution : Consult the application's documentation to enable TLS 1.2 or if not supported ask vendor to add support for TLS 1.2 (with approved cipher suites) Plugin Output : TLS v1.2 is not enabled on this port. Nessus Plugin ID : 951001 Any advise would be grateful. Thank you in advance, Regards, Jasi. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
