Enable TLS1.2 for splunk 6.5.3

asharmaeqfx · ‎06-01-2020

Hi Splunkers,

I am receiving a vulnerability on all my splunk servers saying that

Issue
The PCI Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.

Resolution
Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers for ports 2222 and 443

I tried looking into some files within splunk like outputs.conf, inputs.conf, server.conf etc
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/AboutTLSencryptionandciphersuites

I am unsure which files needs to be changed and is it the same process on indexes, deployment server, forwarders and search heads.

Could you please suggest?

Note: I tried changing the server.conf file on the search heads and restarted the splunk processes but it did not helped. I added the below line
sslVersions = tls1.2

and tested it via the below command but i see still its running tlsv1
openssl s_client -connect xxxxx002:443 -tls1

Thanks,
Amit

harsmarvania57 · ‎06-02-2020

Hi,

I'll suggest you to upgrade from Splunk 6.5.3 to 7.3.x or 8.0.x version. Splunk 6.5.x is out of support now. Have a look at Network port diagram https://docs.splunk.com/Documentation/Splunk/8.0.4/InheritedDeployment/Ports and accordingly you need to change ssl config in different conf files.

In general

For port 8000 - web.conf
For port 9997 - inputs.conf
For port 8089 - server.conf

Enable TLS1.2 for splunk 6.5.3

encryption

SSL

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?