Security

SSL anonymous ciphers supported

damucka
Builder

Hello,

We are using the Tenable Infrastructure Vulnerability scanner to scan regularly our complete infrastructure. Tenable reports following findings for the Splunk Server Ports:

https://www.tenable.com/plugins/nessus/31705 SSL Anonymous Cipher Suites Supported

Please find below the plugin output:

The following is a list of SSL anonymous ciphers supported by the remote TCP server :

  High Strength Ciphers (>= 112-bit key)

    Name                          Code             KEX           Auth     Encryption             MAC

    ----------------------        ----------       ---           ----     ---------------------  ---

    AECDH-AES128-SHA              0xC0, 0x18       ECDH          None     AES-CBC(128)           SHA1

    AECDH-AES256-SHA              0xC0, 0x19       ECDH          None     AES-CBC(256)           SHA1

The fields above are :

  {Tenable ciphername}

  {Cipher ID code}

  Kex={key exchange}

  Auth={authentication}

  Encrypt={symmetric encryption method}

  MAC={message authentication code}

  {export flag}

 

Could you please advise how to adjust the SSL Splunk configuration to fix this issue? Can this be fixed by setting certain value to cipherSuite in server.conf?

The above issue is reported for the ports (2)8191 and (2)8089. 

Our server.conf (local) looks as follows:

[kvstore]
port = 28191

[license]
master_uri = https://splunk-license.xxx.corp:443

# Workaround to overcome the connection issues to the license server

[sslConfig]
# To address Vulnerability Scan:
# https://serverfault.com/questions/1034107/how-to-configure-ssl-certificates-for-splunk-on-port-8089
sslVersions = tls1.2
sslVersionsForClient = *,-ssl2
enableSplunkdSSL = true
serverCert = /etc/apache2/splunk.pem

# Workaround to overcome the connection issues to the license server
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

# To address Vulnerability Scan:
# https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/m-p/29...
allowSslCompression = false
useClientSSLCompression = false
useSplunkdClientSSLCompression = false


sslPassword = xxx

[general]
pass4SymmKey = xxx
trustedIP = 127.0.0.1

 

The cipherSuite in server.conf (default) looks as follows:

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Could you please advice?

Kind regards,

Kamil

Labels (1)
1 Solution

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

View solution in original post

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...