Force TLS 1.1+ for index replication


Our vulnerability scanner keeps hitting on SSLv3 on the port 8080 replication ports of our index cluster. I've added the following to server.conf:

sslVersion = tls, -tls1.0

Yet we are still getting hits for SSLv3 on the cluster nodes. Below is the full output of the btool server listing:

allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
sendStrictTransportSecurityHeader = false
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = XXXXXXXXXXX
sslVersions = tls, -tls1.0
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

Labels (1)
Tags (3)
0 Karma


I had a similar issue, the problem is that port replication does NOT necessarily use tls by default (see the spec file).

You need to add this to your inputs.conf app on your indexer:

sslVersions = tls1.2

You can also add cipherSuite, serverCert, and sslPassword here.

sslVersions =

  • Comma-separated list of SSL versions to support.

  • The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".

  • The special version "*" selects all supported versions. The version "tls"
    selects all versions tls1.0 or newer.

  • If a version is prefixed with "-" it is removed from the list.

  • SSLv2 is always disabled; "-ssl2" is accepted in the version list but
    does nothing.

  • When configured in FIPS mode, ssl3 is always disabled regardless
    of this configuration.

  • Default: The default can vary (See the sslVersions setting in
    the $SPLUNK_HOME/etc/system/default/server.conf file for the current default)

0 Karma

Super Champion

There are 3 parts to fix the issue

=> Ensure you have Certificate settings in an app (eg . MY_cert_app)
=> Create a TLS client app (MY_tls_client_app). Put the setting like shown in link in inputs.conf . This app will then be deployed in all slaves

sslVersions = tls1.2
cipherSuite = TLSv1.2:!eNULL:!aNULL

=> Create a TLS server app (MY_tls_server_app). This app will then be deployed Cluster Master.
a. Put the setting like shown in link in server.conf .

sslVersions = tls1.2
cipherSuite = TLSv1.2:!eNULL:!aNULL
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

b. Put contents in inputs.conf in your CLM

rootCA = $SPLUNK_HOME/etc/apps/MY_cert_app/bin/auth/rootCA.pem
serverCert = $SPLUNK_HOME/etc/apps/MY_cert_app/bin/auth/device.pem
password = my_pass
requireClientCert = false

=> Now create another app for CLM MY_clm_cluster_config like this and put in CLM. in server.conf

site= site0

#indexer clustering
mode = master 
pass4SymmKey = my_pass
cluster_label = my_idx_cluster1
multisite = true
replication_factor = 2
search_factor = 2
site_replication_factor = origin:1, total:2
site_search_factor = origin:1, total:2
available_sites = site1, site2

pass4SymmKey = my_pass
polling_rate = 300
0 Karma


@dyeo did this resolve your problem?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...