NGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-278381	SRG-APP-000014	NGNX-APP-000040	SV-278381r1171895_rule	2026-01-07	1

Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000560, SRG-APP-000565

Description

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or on public-facing servers. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000560, SRG-APP-000565

ℹ️ Check
Determine the path to NGINX config file(s): nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify "ssl_protocols" are set to TLSv1.2 or higher: nginx -c <path to nginx config> -qT \| grep ssl_protocols ssl_protocols TLSv1.2 TLSv1.3; If "ssl_protocols" does not exist or does not specify TLSv1.2 or greater, this is a finding

ℹ️ Check

Determine the path to NGINX config file(s): nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify "ssl_protocols" are set to TLSv1.2 or higher: nginx -c <path to nginx config> -qT | grep ssl_protocols ssl_protocols TLSv1.2 TLSv1.3; If "ssl_protocols" does not exist or does not specify TLSv1.2 or greater, this is a finding

✔️ Fix
Specify the allowed TLS protocols by adding the following line to the server {} block: ssl_protocols TLSv1.2 TLSv1.3; Restart NGINX with saved configuration: nginx -s reload