For PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279078	SRG-APP-000401-AS-000243	APAS-CF-000680	SV-279078r1172827_rule	2025-12-19	1

Description
Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integrity of the authentication process. PKI relies on the ability to verify the validity of certificates, which includes checking for certificate revocation. If the system cannot access revocation information via the network, it may be unable to determine whether a certificate is still valid, potentially allowing the use of compromised or revoked certificates. By implementing a local cache of revocation data, ColdFusion can support path discovery and validation even when network access to revocation information is unavailable. This practice helps ensure that the system can continue to verify the validity of certificates and maintain the security of the authentication process. It aligns with best security practices and helps prevent unauthorized access to sensitive information.

Description

Ensuring that for PKI-based authentication, ColdFusion implements a local cache of revocation data is essential for maintaining the security and integrity of the authentication process. PKI relies on the ability to verify the validity of certificates, which includes checking for certificate revocation. If the system cannot access revocation information via the network, it may be unable to determine whether a certificate is still valid, potentially allowing the use of compromised or revoked certificates. By implementing a local cache of revocation data, ColdFusion can support path discovery and validation even when network access to revocation information is unavailable. This practice helps ensure that the system can continue to verify the validity of certificates and maintain the security of the authentication process. It aligns with best security practices and helps prevent unauthorized access to sensitive information.

ℹ️ Check
Verify ColdFusion is configured to support certificate revocation checking using locally cached Certificate Revocation Lists (CRLs). 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Open the server.xml file in a text editor. 3. Identify all <Connector> elements that are configured for SSL. Within each <Connector>, check for an embedded <SSLHostConfig> element. 4. Review the <SSLHostConfig> element for the presence of one of the following attributes: certificateRevocationListFile certificateRevocationListPath (These attributes specify the location of locally cached CRL files that will be used for certificate revocation checking.) If no <SSLHostConfig> is present, or if neither certificateRevocationListFile nor certificateRevocationListPath is configured, this is a finding.

ℹ️ Check

Verify ColdFusion is configured to support certificate revocation checking using locally cached Certificate Revocation Lists (CRLs). 1. For each ColdFusion instance, navigate to: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml. 2. Open the server.xml file in a text editor. 3. Identify all <Connector> elements that are configured for SSL. Within each <Connector>, check for an embedded <SSLHostConfig> element. 4. Review the <SSLHostConfig> element for the presence of one of the following attributes: certificateRevocationListFile certificateRevocationListPath (These attributes specify the location of locally cached CRL files that will be used for certificate revocation checking.) If no <SSLHostConfig> is present, or if neither certificateRevocationListFile nor certificateRevocationListPath is configured, this is a finding.

✔️ Fix
Configure ColdFusion to use a locally cached CRL for certificate revocation checking. 1. Open the server.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Locate each <Connector> element configured for SSL. 3. Ensure an <SSLHostConfig> element is present and includes one of the following attributes: certificateRevocationListFile="<path_to_crl_file>" certificateRevocationListPath="<path_to_crl_directory>" Example: <SSLHostConfig> <Certificate certificateKeystoreFile="..." type="RSA" /> <CertificateRevocation certificateRevocationListFile="/opt/cf/crl/mycrl.pem" /> </SSLHostConfig> 4. Save the file and restart ColdFusion to apply the changes.

✔️ Fix

Configure ColdFusion to use a locally cached CRL for certificate revocation checking. 1. Open the server.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\server.xml 2. Locate each <Connector> element configured for SSL. 3. Ensure an <SSLHostConfig> element is present and includes one of the following attributes: certificateRevocationListFile="<path_to_crl_file>" certificateRevocationListPath="<path_to_crl_directory>" Example: <SSLHostConfig> <Certificate certificateKeystoreFile="..." type="RSA" /> <CertificateRevocation certificateRevocationListFile="/opt/cf/crl/mycrl.pem" /> </SSLHostConfig> 4. Save the file and restart ColdFusion to apply the changes.