We have Splunk 4.2.3 installed on some Linux hardened servers. Our Security team recently ran some scans and expressed concern regarding SSL on port 8089. After researching we determined that this port is used for Splunk deployment communication.
It seems that their concern is that the SSL version is too low. They would like to see at least version v3TL1.
I'm not very familiar with SSL. Could you tell me what SSL version Splunk uses? Is it possible to upgrade? What version of SSL does 4.3 use?
After further discussions it seems that the issue is that the security scan found the deployment port to be using SSL version 2. Is there a way to control what version of SSL is used? Can we make a parameter change to force SSL version 3 to be used? Thanks.
Not sure what V3TL1 is. Looking at their OpenSSL's tarball repository, while 0.9.8r is a year old there's only 2 later versions of 0.9.8 available, and a couple 1.0.0 releases.
Are you sure it's OpenSSL versions, rather than supported/allowed cipher suites?
Yes, you can. To disable SSLv2 and tell the HTTP server to only accept connections from SSLv3 clients, set the supportSSLV3Only attribute in server.conf to true. By default, this setting is false. This information comes from Secure Access to your Splunk Server in the Admin Manual.
In order to completely disable SSLv2 on the Splunk WebUI you must modify two files. Making the change in only the /opt/splunk/etc/system/default/server.conf does not disable SSLv2. You must also make the same 'supportSSLV3Only = true' edit to the /opt/splunk/etc/system/default/web.conf file. We continued to see the SSLv2 vulnerability until we made the change to the server.conf AND web.conf file.
Never make changes to the files in default! Always make changes to the equivalent file in the local space, in this case /opt/splunk/etc/system/server.conf and web.conf. Making changes in default may be overridden when Splunk is upgraded. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Howtoeditaconfigurationfile
Is it only necessary to set 'supportSSLV3Only = true' in web.conf if enableSplunkWebSSL is also set to "true"? We do not currently have enableSplunkWebSSL defined so, based on the documentation, it appears enableSplunkWebSSL is "false" by default.