Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare for this change.

What’s changing?

OpenSSL version 3 is a significant upgrade from version 1. OpenSSL 3 features a new versioning scheme, significantly improved security features, and a new "Provider" concept for managing different cryptographic algorithms. It is generally not backward compatible, meaning applications designed for OpenSSL 1 may need significant changes to work with version 3. The Splunk platform is upgrading to the latest version of OpenSSL 3 in a future release to improve our security posture continuously.

Splunk customers’ environments will require a few changes before they can upgrade to the Splunk version with OpenSSL 3 - including, but not limited to, the following: 

1. use TLS 1.2-ONLY
2. include the X509v3 extension for your CA certificate
3. all Splunk apps relying on OpenSSL 3 should be compatible with Python 3.9 and Node.js 20 or higher (if using those languages) 
4. become FIPS-certified for FedRAMP or FISMA customers. 

The following delves deeper into each of the criteria mentioned above for an upgrade.

1. Use TLS 1.2 Only

With 9.4, Splunk Enterprise announced the deprecation of TLS 1.0 and 1.1. TLS 1.0 and 1.1 (and SSL 3.0 and lower) are outdated protocols that use weak and insecure ciphers (e.g., International Data Encryption Algorithm(IDEA), Data Encryption Standard(DES)) to establish secure connections. They were formally deprecated in RFC 8996 in March 2021. Additionally, the National Institute of Standards and Technology (NIST) formalized policy 800-52 in 2014, which requires US government agencies to adopt TLS 1.2 and deprecate the use of TLS 1.1 and before. Lastly, OpenSSL 3 deprecated the support for any older versions of TLS less than 1.2. Removing support for TLS 1.1, 1.0, and SSL3 will lay the foundation for Splunk and its customers to upgrade to TLS 1.3, another mandate for US PBST + EMEA customers. 

Actions to take: Confirm that your Splunk environment is configured to use the TLS 1.2 protocol anywhere you can specify a TLS version. The key places to look for the value are server.conf, web.conf, outputs.conf, and inputs.conf.

2. Ensure CA certificates used in Splunk include the X509v3 extension

OpenSSL3 requires that any CA certificate must include the X509v3 Basic Constraints extension with CA: TRUE. Customers should ensure that any certificate used as a CA certificate in Splunk contains this extension.

Actions to take: Update or replace any CA certificate that does not include CA: TRUE in the X509v3 Basic Constraints extension

3. Make sure apps are compatible with OpenSSL 3, Python 3.9, and node.js 20 or higher

All apps installed in your Splunk environment must be compatible with OpenSSL 3. This means that any configurations in these apps that specify a TLS version must specify TLS 1.2 only, and it also means that apps that directly depend on the OpenSSL library must be using it in a way that’s compatible with OpenSSL 3 (e.g., deprecated APIs and cipher suites should not be used). Apps relying on OpenSSL 3 should also be compatible with Python 3.9 and Node.js 20 or higher (if using those languages). While Splunk does not currently have an automated approach to identifying all of these apps, we advise you to make sure any development teams maintaining private apps you have built for your own internal use cases comply with this change. 

4. Prep for FIPS-140-3 certifications

Splunk maintains an active commitment to meeting the requirements of the FIPS 140 standard. Splunk Enterprise and Universal Forwarder currently use an embedded cryptographic FIPS 140-2 module (4165), which can be activated for the Linux and Windows operating systems. The FIPS 140-3 standard was introduced in September 2019 and supersedes FIPS 140-2. As of September 2021, the Cryptographic Module Validation Program (CMVP) no longer accepts new FIPS 140-2 modules for validation. All FIPS 140-2 modules can remain active until September 21, 2026, and then will be moved to the Historical List. This means that Splunk must obtain a FIPS 140-3 certification, which requires upgrading to OpenSSL 3. Learn more about the transition from FIPS 140-2 to 140-3 (NIST).

Actions to take: 

• All FedRAMP(Hi/Mod) Splunk Cloud customers and FISMA Splunk Enterprise customers that require a CMVP-validated FIPS module for their crypto library should ensure they are on a supported version of Splunk. All active and supported versions of Splunk are FIPS-certified. Customers should also look and plan for future Splunk releases when we upgrade our FIPS certificate to FIPS-140-3.
• The operating system on which you run Splunk Enterprise should also run in FIPS mode. For e.g., RHEL 8.x and Ubuntu 20.04 are FIPS-140-2 compliant OSs, whereas RHEL 9.x and Ubuntu 22.04 just recently got FIPS-140-3 certified
• Any app running on Splunk that requires cryptographic operations should only use a FIPS-certified version of the crypto modules(e.g., OpenSSL, BoringCrypto, BouncyCastle, etc.). Using the FIPS-certified crypto module that already ships with Splunk is easiest.