Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

xavierashe
Contributor
‎04-28-2017 10:10 AM

I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.

Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64

Here's my web.conf:

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mvillene
Explorer
‎12-14-2017 07:50 AM

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

View solution in original post

Reply
Solved! Jump to solution
Solution

mvillene
Explorer
‎12-14-2017 07:50 AM

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

Reply
Solved! Jump to solution

MuS
Legend
‎04-30-2017 04:42 PM

Hi xavierashe,

Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

xavierashe
Contributor
‎05-01-2017 05:32 AM

Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.

---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top