Security

How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

xavierashe
Contributor

I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.

Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64

Here's my web.conf:

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
0 Karma
1 Solution

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

View solution in original post

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

MuS
Legend

Hi xavierashe,

Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.

cheers, MuS

0 Karma

xavierashe
Contributor

Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.

---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...