Security
Highlighted

How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

Contributor

I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.

Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el67.1.x8664

Here's my web.conf:

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
0 Karma
Highlighted

Re: How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

SplunkTrust
SplunkTrust

Hi xavierashe,

Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.

cheers, MuS

0 Karma
Highlighted

Re: How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

Contributor

Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.

---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
0 Karma
Highlighted

Re: How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

View solution in original post