topic Re: How can I force web clients to use only SSLv3 and TLSv1? in Security

How can I force web clients to use only SSLv3 and TLSv1?

melonman — Mon, 29 Nov 2010 15:28:40 GMT

Hi,

I would like to know how to force web clients to use only SSLv3 and TLSv1? I found the following configuration in the documentation.

http://www.splunk.com/base/Documentation/4.1.5/Admin/Webconf

supportSSLV3Only = [True | False]
   * Allow only SSLv3 connections if true
   * NOTE: Enabling this may cause some browsers problems

Does this configuration force web clients to use only SSLv3 and TLSv1? * The splunk version is 4.1.4.

Thank you!

Re: How can I force web clients to use only SSLv3 and TLSv1?

araitz — Mon, 29 Nov 2010 21:56:52 GMT

With OpenSSL, when you support SSLv3 only, not only is SSLv2 support turned off but also TLSv1.

Our app server, CherryPy, does not support specifying more complex OpenSSL contexts, so it is not possible to enable SSLv3 and TLSv1 without hacking at some python. Even then, changes would not be upgrade-safe.

We have had a few customers request that we support SSLv3 + TLSv1, so it is something that we are considering. Can you let us know if this is important to you, and if so why?

Re: How can I force web clients to use only SSLv3 and TLSv1?

brianirwin — Mon, 29 Nov 2010 22:38:03 GMT

Aratiz,

I would very much like to see SSLv3/TLS+ only support, mainly for these two reasons.

i) SSLv2 is basically broken, its basic building blocks for Crypto has issues, so if the purpose of using SSL is to keep data safe (for example if login/password information could be pulled from logs) SSLv2 does not protect you. Since SSL handshake will pick the best security that both sides support, it is unlikely that in normal usage a browser would end up on v2, but weird things happen.

ii) There have been a significant number of flaws found in the SSLv2 code that can be used to attack a server running in v2 mode, perhaps the Python used in the web server is not vulnerable to any known hacks, but there is always a chance of a zero day attack.

A lot of hack attempts involve performing a v2 only handshake as that gives the attacker the most leverage, for that reason on all systems that I can, I disable v2 handshakes.

Hope that helps.

Brian

Re: How can I force web clients to use only SSLv3 and TLSv1?

araitz — Mon, 29 Nov 2010 22:57:23 GMT

Based on your comments above, I am not sure I understand why setting supportSSLv3Only=true doesn't solve your use case. To be clear, setting SSLv3 only disabled SSLv2 AS WELL AS TLSv1. See the table a bit below: http://docs.python.org/library/ssl.html#functions-constants-and-exceptions

Re: How can I force web clients to use only SSLv3 and TLSv1?

brianirwin — Thu, 09 Dec 2010 22:08:19 GMT

Araitz,
Re-reading the question, I see that I was offbase, I ranted at a complete tangent to the actual question. Disabling v2 by saying SSLv3 only will resolve the issue I went off on.

Is it considered good Splunk etiquette to leave my tangent in place, or should I remove it?

I still think I see some value in the SSLv3 or better switch, I know TLS 1.0 and SSLv3 are very similar, but I believe some Python implementations are now starting to support TLSv1.1 and 1.2 can not be too far behind.
Per the RFC, 1.1 claims protection against some CBC attacks and several other attack vectors.

Re: How can I force web clients to use only SSLv3 and TLSv1?

melonman — Tue, 14 Dec 2010 10:13:01 GMT

Well I personally think that SSLv3 works OK. However, the tools to check security used by ISPs and DCs mostly see if the combination of SSLv3 and TLSv1 is enabled or not. I can't mention the name of the tool here but such tools usually check "SSLv3/TLS". And if the check fails, the operation team usually start considering alternative solutions that support "SSLv3/TLS". I hope this is fair reason for you to support "SSLv3/TLS".

Re: How can I force web clients to use only SSLv3 and TLSv1?

araitz — Wed, 18 Jan 2012 05:48:05 GMT

With Splunk 4.3, cipher lists can now be specified in web.conf:

http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

As a result, you can specify a cipher list that only allows TLSv1 and SSLv3 ciphers, even though strictly speaking SSLv3 and TLSv1 are protocols rather than simply lists of allowable ciphers that form its cryptographic attributes.

Re: How can I force web clients to use only SSLv3 and TLSv1?

yannK — Fri, 28 Feb 2014 23:37:38 GMT

since 4.3 the sslv3Only setting has expanded to the server.conf and web.conf.

See in 6.0.2

To force splunk to use only sslv3 protocol,
see supportSSLV3Only = true under [sslConfig] in server.conf for splunkd
http://docs.splunk.com/Documentation/Splunk/latest/Admin/serverconf
and supportSSLV3Only = true under [settings] in web.conf for splunkweb
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf

for the cipher level check this :
http://docs.splunk.com/Documentation/Splunk/latest/Security/Determineyourciphersuite