SSL anonymous ciphers supported

damucka — Tue, 21 Sep 2021 07:35:33 GMT

Hello,

We are using the Tenable Infrastructure Vulnerability scanner to scan regularly our complete infrastructure. Tenable reports following findings for the Splunk Server Ports:

https://www.tenable.com/plugins/nessus/31705 SSL Anonymous Cipher Suites Supported

Please find below the plugin output:

The following is a list of SSL anonymous ciphers supported by the remote TCP server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

AECDH-AES128-SHA 0xC0, 0x18 ECDH None AES-CBC(128) SHA1

AECDH-AES256-SHA 0xC0, 0x19 ECDH None AES-CBC(256) SHA1

The fields above are :

{Tenable ciphername}

{Cipher ID code}

Kex={key exchange}

Auth={authentication}

Encrypt={symmetric encryption method}

MAC={message authentication code}

{export flag}

Could you please advise how to adjust the SSL Splunk configuration to fix this issue? Can this be fixed by setting certain value to cipherSuite in server.conf?

The above issue is reported for the ports (2)8191 and (2)8089.

Our server.conf (local) looks as follows:

[kvstore]
port = 28191

[license]
master_uri = https://splunk-license.xxx.corp:443

# Workaround to overcome the connection issues to the license server

[sslConfig]
# To address Vulnerability Scan:
# https://serverfault.com/questions/1034107/how-to-configure-ssl-certificates-for-splunk-on-port-8089
sslVersions = tls1.2
sslVersionsForClient = *,-ssl2
enableSplunkdSSL = true
serverCert = /etc/apache2/splunk.pem

# Workaround to overcome the connection issues to the license server
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

# To address Vulnerability Scan:
# https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/m-p/29091
allowSslCompression = false
useClientSSLCompression = false
useSplunkdClientSSLCompression = false

sslPassword = xxx

[general]
pass4SymmKey = xxx
trustedIP = 127.0.0.1

The cipherSuite in server.conf (default) looks as follows:

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

Could you please advice?

Kind regards,

Kamil

Re: SSL anonymous ciphers supported

damucka — Wed, 22 Sep 2021 15:23:31 GMT

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

topic SSL anonymous ciphers supported in Security

SSL anonymous ciphers supported

Re: SSL anonymous ciphers supported