Archive
Highlighted

What version of SSL does splunkd use?

Splunk Employee
Splunk Employee

We have Splunk 4.2.3 installed on some Linux hardened servers. Our Security team recently ran some scans and expressed concern regarding SSL on port 8089. After researching we determined that this port is used for Splunk deployment communication.

It seems that their concern is that the SSL version is too low. They would like to see at least version v3TL1.

I'm not very familiar with SSL. Could you tell me what SSL version Splunk uses? Is it possible to upgrade? What version of SSL does 4.3 use?

Thanks,

Tags (1)
Highlighted

Re: What version of SSL does splunkd use?

Splunk Employee
Splunk Employee

Splunk 4.3 uses OpenSSL version 0.9.8r (http://docs.splunk.com/Documentation/Splunk/4.3/ReleaseNotes/OpenSSL). OpenSSL implements SSL v2/v3 and TLS v1 (http://www.openssl.org/ ).

View solution in original post

Highlighted

Re: What version of SSL does splunkd use?

New Member

After further discussions it seems that the issue is that the security scan found the deployment port to be using SSL version 2. Is there a way to control what version of SSL is used? Can we make a parameter change to force SSL version 3 to be used? Thanks.

0 Karma
Highlighted

Re: What version of SSL does splunkd use?

Motivator

Not sure what V3TL1 is. Looking at their OpenSSL's tarball repository, while 0.9.8r is a year old there's only 2 later versions of 0.9.8 available, and a couple 1.0.0 releases.

Are you sure it's OpenSSL versions, rather than supported/allowed cipher suites?

0 Karma
Highlighted

Re: What version of SSL does splunkd use?

Splunk Employee
Splunk Employee

Yes, you can. To disable SSLv2 and tell the HTTP server to only accept connections from SSLv3 clients, set the supportSSLV3Only attribute in server.conf to true. By default, this setting is false. This information comes from Secure Access to your Splunk Server in the Admin Manual.

Highlighted

Re: What version of SSL does splunkd use?

In order to completely disable SSLv2 on the Splunk WebUI you must modify two files. Making the change in only the /opt/splunk/etc/system/default/server.conf does not disable SSLv2. You must also make the same 'supportSSLV3Only = true' edit to the /opt/splunk/etc/system/default/web.conf file. We continued to see the SSLv2 vulnerability until we made the change to the server.conf AND web.conf file.

Highlighted

Re: What version of SSL does splunkd use?

SplunkTrust
SplunkTrust

Never make changes to the files in default! Always make changes to the equivalent file in the local space, in this case /opt/splunk/etc/system/server.conf and web.conf. Making changes in default may be overridden when Splunk is upgraded. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Howtoeditaconfigurationfile

Highlighted

Re: What version of SSL does splunkd use?

New Member

Is it only necessary to set 'supportSSLV3Only = true' in web.conf if enableSplunkWebSSL is also set to "true"? We do not currently have enableSplunkWebSSL defined so, based on the documentation, it appears enableSplunkWebSSL is "false" by default.

0 Karma