Security

How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

xavierashe
Contributor

I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.

Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64

Here's my web.conf:

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
0 Karma
1 Solution

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

View solution in original post

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

MuS
SplunkTrust
SplunkTrust

Hi xavierashe,

Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.

cheers, MuS

0 Karma

xavierashe
Contributor

Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.

---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...