Security

SSL anonymous ciphers supported

damucka
Builder

Hello,

We are using the Tenable Infrastructure Vulnerability scanner to scan regularly our complete infrastructure. Tenable reports following findings for the Splunk Server Ports:

https://www.tenable.com/plugins/nessus/31705 SSL Anonymous Cipher Suites Supported

Please find below the plugin output:

The following is a list of SSL anonymous ciphers supported by the remote TCP server :

  High Strength Ciphers (>= 112-bit key)

    Name                          Code             KEX           Auth     Encryption             MAC

    ----------------------        ----------       ---           ----     ---------------------  ---

    AECDH-AES128-SHA              0xC0, 0x18       ECDH          None     AES-CBC(128)           SHA1

    AECDH-AES256-SHA              0xC0, 0x19       ECDH          None     AES-CBC(256)           SHA1

The fields above are :

  {Tenable ciphername}

  {Cipher ID code}

  Kex={key exchange}

  Auth={authentication}

  Encrypt={symmetric encryption method}

  MAC={message authentication code}

  {export flag}

 

Could you please advise how to adjust the SSL Splunk configuration to fix this issue? Can this be fixed by setting certain value to cipherSuite in server.conf?

The above issue is reported for the ports (2)8191 and (2)8089. 

Our server.conf (local) looks as follows:

[kvstore]
port = 28191

[license]
master_uri = https://splunk-license.xxx.corp:443

# Workaround to overcome the connection issues to the license server

[sslConfig]
# To address Vulnerability Scan:
# https://serverfault.com/questions/1034107/how-to-configure-ssl-certificates-for-splunk-on-port-8089
sslVersions = tls1.2
sslVersionsForClient = *,-ssl2
enableSplunkdSSL = true
serverCert = /etc/apache2/splunk.pem

# Workaround to overcome the connection issues to the license server
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

# To address Vulnerability Scan:
# https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/m-p/29...
allowSslCompression = false
useClientSSLCompression = false
useSplunkdClientSSLCompression = false


sslPassword = xxx

[general]
pass4SymmKey = xxx
trustedIP = 127.0.0.1

 

The cipherSuite in server.conf (default) looks as follows:

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Could you please advice?

Kind regards,

Kamil

Labels (1)
1 Solution

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

View solution in original post

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...