Security

SSL anonymous ciphers supported

damucka
Builder

Hello,

We are using the Tenable Infrastructure Vulnerability scanner to scan regularly our complete infrastructure. Tenable reports following findings for the Splunk Server Ports:

https://www.tenable.com/plugins/nessus/31705 SSL Anonymous Cipher Suites Supported

Please find below the plugin output:

The following is a list of SSL anonymous ciphers supported by the remote TCP server :

  High Strength Ciphers (>= 112-bit key)

    Name                          Code             KEX           Auth     Encryption             MAC

    ----------------------        ----------       ---           ----     ---------------------  ---

    AECDH-AES128-SHA              0xC0, 0x18       ECDH          None     AES-CBC(128)           SHA1

    AECDH-AES256-SHA              0xC0, 0x19       ECDH          None     AES-CBC(256)           SHA1

The fields above are :

  {Tenable ciphername}

  {Cipher ID code}

  Kex={key exchange}

  Auth={authentication}

  Encrypt={symmetric encryption method}

  MAC={message authentication code}

  {export flag}

 

Could you please advise how to adjust the SSL Splunk configuration to fix this issue? Can this be fixed by setting certain value to cipherSuite in server.conf?

The above issue is reported for the ports (2)8191 and (2)8089. 

Our server.conf (local) looks as follows:

[kvstore]
port = 28191

[license]
master_uri = https://splunk-license.xxx.corp:443

# Workaround to overcome the connection issues to the license server

[sslConfig]
# To address Vulnerability Scan:
# https://serverfault.com/questions/1034107/how-to-configure-ssl-certificates-for-splunk-on-port-8089
sslVersions = tls1.2
sslVersionsForClient = *,-ssl2
enableSplunkdSSL = true
serverCert = /etc/apache2/splunk.pem

# Workaround to overcome the connection issues to the license server
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

# To address Vulnerability Scan:
# https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/m-p/29...
allowSslCompression = false
useClientSSLCompression = false
useSplunkdClientSSLCompression = false


sslPassword = xxx

[general]
pass4SymmKey = xxx
trustedIP = 127.0.0.1

 

The cipherSuite in server.conf (default) looks as follows:

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Could you please advice?

Kind regards,

Kamil

Labels (1)
1 Solution

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

View solution in original post

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...