topic Re: How to disable SSLv3 on port 8090 in Security

How to disable SSLv3 on port 8090

jim_mulder_CI — Wed, 26 Apr 2017 19:11:19 GMT

So, we've got a vulnerability scan showing that SSLv3 is enabled on port 8090 on our Splunk 6.5.2 cluster (master, 2 indexers, 1 search head), and for the life of me, I can't figure out where to disable it. I've verified that splunkd is listening on TCP 8090 via netstat, but I can't find the .conf file where it is configured so I can set the sslVersions. The service on the port appears to be identical to port 8089, the mangement port.

Has anybody else seen this port open in their environment or figured out how to disable SSLv3 for this specific port?

Thanks, all.

Re: How to disable SSLv3 on port 8090

somesoni2 — Wed, 26 Apr 2017 21:20:34 GMT

For what purpose the 8090 port is being used (it's not management port it seems)? Its is data receiving port OR replication port?

Re: How to disable SSLv3 on port 8090

jim_mulder_CI — Thu, 27 Apr 2017 14:53:52 GMT

Thanks, somesoni2.

It might be the replication port, though I don't remember setting it up as such. I've done a full-text search on the .conf files and can't find a reference to the port in any of them.

Re: How to disable SSLv3 on port 8090

mwong — Fri, 28 Apr 2017 09:45:06 GMT

I think you can edit the server.conf and in the stanza [sslConfig] use -ssl3 , it will disable the SSLv3.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support for incoming connections.
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer.
* If a version is prefixed with "-" it is removed from the list.
* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing.
* When configured in FIPS mode, ssl3 is always disabled regardless
  of this configuration.
* Defaults to "*,-ssl2" (anything newer than SSLv2).

Re: How to disable SSLv3 on port 8090

jim_mulder_CI — Fri, 28 Apr 2017 16:24:45 GMT

I've tried that. It doesn't. When first dealing with this, we found SSLv3 running on both the web interface and port 8090. Setting sslVersions in web.conf worked like a charm. Setting sslVersions in server.conf to either tls1.2 or tls1.2,-ssl3 has had no effect on SSLv3 on port 8090.

There's something else going on here.

Re: How to disable SSLv3 on port 8090

jim_mulder_CI — Thu, 04 May 2017 00:45:57 GMT

OK, finally tracked this one down. It turns out it wasn't a port on the server instance, but one on the forwarder instance (on the same machine). web.conf had the mgmtHostPort set, and adding an sslVersions = tls1.2 in server.conf solved the problem and I now have clean scans.

Thanks all for the help.