Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Enabling sslv3 in server.conf with remote Splunk agents

lisaac
Path Finder
‎08-16-2010 08:05 PM

I have to update the local file server.conf to allow only sslv3 on an indexer (4.1.3) due to a recent audit. There are 150+ Windows Splunk agents (4.0.9) reporting to this indexer. Do the Splunk Agents need updated at the same time as the index? I believe the answer is no, but I wanted to verify.

File server.conf [sslConfig]

By default, allow both v2 and v3 connections to the HTTP server

supportSSLV3Only = True

This change should force the remote Splunk agents to only use ssl v3. I was hoping to just make the change on the indexer, restart the indexer, and the agents will re-establish communication using ssl v3.

Tags (1)
Reply

trross33
Path Finder
‎06-15-2011 08:11 AM

I am looking for an answer to this question as well. I am assuming our vulnerability assessments are scanning the management port opened by default on all the universal forwarders. I assume they are to blame for the sslv2 vuln assessment finding on all the machines running a universal forwarder.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-20-2010 12:33 AM

Based on the workings of the SSL protocol itself, this should work without changing the agent config at all. Basically, the SSL client (the forwarder) connects, and says "I can use SSL2, SSL3, and TLS 1.0" -- the server (the indexer) is then supposed to respond with the "highest common denominator" -- that is, the highest protocol level supported by both client and server. If you configure the indexer to only allow SSLV3, then they should negotiate to that.

You should be able to verify this is happening using wireshark.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...