https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175461#M35229 <P>I changed these settings ages ago, but my Security department wouldn't believe that it was disabled without proof.<BR /> I ran an openssl command from a forwarder to test:<BR /> openssl s_client -connect splunk-index-dev-01.example.com:9997 -tls1_2<BR /> and it worked as expected, giving me standard connection info.<BR /> Then I ran the same command for ssl3, and it gave me the same connection info:<BR /> openssl s_client -connect splunk-index-dev-01.example.com:9997 -ssl3<BR /> Doing the same command with ssl2 on the end showed that it was not enabled for ssl2.</P> <P>I doublechecked my settings, and I had sslVersions = tls1.2 set in server.conf on the indexer and outputs.conf on the forwarder, and there was no change.<BR /> After a great deal of back-and-forth with Splunk tech support, we figured out that we needed to set sslVersions = tls1.2 in inputs.conf on the indexer, and nothing in the forwarder, not in outputs.conf, not in server.conf, nowhere at all on the forwarder, and also take it out of server.conf on the indexer.</P> <HR /> Tue, 29 Sep 2020 12:32:30 GMT brynsmith 2020-09-29T12:32:30Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175456#M35224 <P>Is there a way to disable SSL v3 on the UFW? I'm getting flagged by security. </P> Tue, 28 Oct 2014 13:38:41 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175456#M35224 a212830 2014-10-28T13:38:41Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175457#M35225 <P>This feature is available in 6.2.0 release of the splunk. You can simply set the following property in the server.conf under <BR /> [sslConfig]<BR /> sslKeysfilePassword = $1$1E552iukpmwZ<BR /> sslVersions=*,-ssl2,-ssl3</P> <P>this will disable ssl2 and sslv3 protocols, of-course you need to set the corresponding property in the indexer side as well to get the forwarder connecting to the indexer</P> Tue, 28 Oct 2014 15:03:52 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175457#M35225 ithangasamy_spl 2014-10-28T15:03:52Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175458#M35226 <P>There is documentation of the new (in Splunk Enterprise 6.2) <STRONG>sslVersions</STRONG> keyword in the Securing Splunk Enterprise manual: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/SetyourSSLversion">Configure allowed and restricted SSL versions</A>. It includes information about configuring forwarders and ensuring compatibility with indexers.</P> Tue, 28 Oct 2014 15:27:58 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175458#M35226 ChrisG 2014-10-28T15:27:58Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175459#M35227 <P>So, I need to update the indexers and the forwarders in sync? </P> Tue, 28 Oct 2014 17:30:58 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175459#M35227 a212830 2014-10-28T17:30:58Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175460#M35228 <P>Also, just want to confirm, the UFW uses SSLv3 by default? </P> Tue, 28 Oct 2014 17:35:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175460#M35228 a212830 2014-10-28T17:35:36Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175461#M35229 <P>I changed these settings ages ago, but my Security department wouldn't believe that it was disabled without proof.<BR /> I ran an openssl command from a forwarder to test:<BR /> openssl s_client -connect splunk-index-dev-01.example.com:9997 -tls1_2<BR /> and it worked as expected, giving me standard connection info.<BR /> Then I ran the same command for ssl3, and it gave me the same connection info:<BR /> openssl s_client -connect splunk-index-dev-01.example.com:9997 -ssl3<BR /> Doing the same command with ssl2 on the end showed that it was not enabled for ssl2.</P> <P>I doublechecked my settings, and I had sslVersions = tls1.2 set in server.conf on the indexer and outputs.conf on the forwarder, and there was no change.<BR /> After a great deal of back-and-forth with Splunk tech support, we figured out that we needed to set sslVersions = tls1.2 in inputs.conf on the indexer, and nothing in the forwarder, not in outputs.conf, not in server.conf, nowhere at all on the forwarder, and also take it out of server.conf on the indexer.</P> <HR /> Tue, 29 Sep 2020 12:32:30 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-disable-SSL-v3-on-the-universal-forwarder/m-p/175461#M35229 brynsmith 2020-09-29T12:32:30Z