Security

How to disable SSLv3 on port 8090

jim_mulder_CI
Explorer

So, we've got a vulnerability scan showing that SSLv3 is enabled on port 8090 on our Splunk 6.5.2 cluster (master, 2 indexers, 1 search head), and for the life of me, I can't figure out where to disable it. I've verified that splunkd is listening on TCP 8090 via netstat, but I can't find the .conf file where it is configured so I can set the sslVersions. The service on the port appears to be identical to port 8089, the mangement port.

Has anybody else seen this port open in their environment or figured out how to disable SSLv3 for this specific port?

Thanks, all.

0 Karma
1 Solution

jim_mulder_CI
Explorer

OK, finally tracked this one down. It turns out it wasn't a port on the server instance, but one on the forwarder instance (on the same machine). web.conf had the mgmtHostPort set, and adding an sslVersions = tls1.2 in server.conf solved the problem and I now have clean scans.

Thanks all for the help.

View solution in original post

0 Karma

jim_mulder_CI
Explorer

OK, finally tracked this one down. It turns out it wasn't a port on the server instance, but one on the forwarder instance (on the same machine). web.conf had the mgmtHostPort set, and adding an sslVersions = tls1.2 in server.conf solved the problem and I now have clean scans.

Thanks all for the help.

0 Karma

mwong
Splunk Employee
Splunk Employee

I think you can edit the server.conf and in the stanza [sslConfig] use -ssl3 , it will disable the SSLv3.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support for incoming connections.
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer.
* If a version is prefixed with "-" it is removed from the list.
* SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing.
* When configured in FIPS mode, ssl3 is always disabled regardless
  of this configuration.
* Defaults to "*,-ssl2" (anything newer than SSLv2).
0 Karma

jim_mulder_CI
Explorer

I've tried that. It doesn't. When first dealing with this, we found SSLv3 running on both the web interface and port 8090. Setting sslVersions in web.conf worked like a charm. Setting sslVersions in server.conf to either tls1.2 or tls1.2,-ssl3 has had no effect on SSLv3 on port 8090.

There's something else going on here.

0 Karma

somesoni2
Revered Legend

For what purpose the 8090 port is being used (it's not management port it seems)? Its is data receiving port OR replication port?

0 Karma

jim_mulder_CI
Explorer

Thanks, somesoni2.

It might be the replication port, though I don't remember setting it up as such. I've done a full-text search on the .conf files and can't find a reference to the port in any of them.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...