I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.
Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Here's my web.conf:
enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem sslVersions = tls1.1, tls1.2 cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
Not sure if this is helpful or not, but a quick google check on this
testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about
Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.
Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.
--- R RENEGOTIATING depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = [REDACTED], CN = [REDACTED] verify return:1 depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED] verify return:1 read:errno=0
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.