I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.
Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64
Here's my web.conf:
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
Hi xavierashe,
Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;
allowSslRenegotiation = false
Remember to restart Splunk web;
$SPLUNK_HOME/bin/splunk restart splunkweb
According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.
Hi xavierashe,
Not sure if this is helpful or not, but a quick google check on this testssl.sh
script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation
itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.
cheers, MuS
Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.
---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0