Solved: How to valite/remediate RC4 ciphers within Splunk?

a212830 · ‎02-02-2018

Hi,

One of our Splunk servers was flagged for using RC4 ciphers. How can I validate and then disable this option within Splunk? We are using 6.5.4..

harsmarvania57 · ‎02-05-2018

Hi @a212830,

If you run below command on splunk then it will display that RC4 is present in SSLv3 only.

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v | grep RC4

So based on that if SSLv3 is not require then you can disable SSLv3 in 3 different files.

For management port (Default port 8089) -> server.conf , under [sslConfig] stanza you can define sslVersions = *, -ssl2, -ssl3
For receiver port (Indexer, Default port 9997) -> inputs.conf, under [SSL] stanza you can define sslVersions = *, -ssl2, -ssl3
For splunkweb port (Default port 8000) -> web.conf, under [settings] stanza you can define sslVersions = *, -ssl2, -ssl3

harsmarvania57 · ‎02-05-2018

Hi @a212830,

If you run below command on splunk then it will display that RC4 is present in SSLv3 only.

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v | grep RC4

So based on that if SSLv3 is not require then you can disable SSLv3 in 3 different files.

For management port (Default port 8089) -> server.conf , under [sslConfig] stanza you can define sslVersions = *, -ssl2, -ssl3
For receiver port (Indexer, Default port 9997) -> inputs.conf, under [SSL] stanza you can define sslVersions = *, -ssl2, -ssl3
For splunkweb port (Default port 8000) -> web.conf, under [settings] stanza you can define sslVersions = *, -ssl2, -ssl3

sloshburch · ‎02-06-2018

@a212830 - Would you accept this answer if it helped?

a212830 · ‎02-14-2018

Done.

Hi Burch!

a212830 · ‎02-05-2018

Anyone?

How to valite/remediate RC4 ciphers within Splunk?