- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: How to remediate when running testssl.sh again...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.
Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64
Here's my web.conf:
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xavierashe,
Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.
---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
