Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How to remediate when running testssl.sh against S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.
Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64
Here's my web.conf:
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.
---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
