Splunk Search

What version of SSL does splunkd use?

Mick
Splunk Employee
Splunk Employee

We have Splunk 4.2.3 installed on some Linux hardened servers. Our Security team recently ran some scans and expressed concern regarding SSL on port 8089. After researching we determined that this port is used for Splunk deployment communication.

It seems that their concern is that the SSL version is too low. They would like to see at least version v3TL1.

I'm not very familiar with SSL. Could you tell me what SSL version Splunk uses? Is it possible to upgrade? What version of SSL does 4.3 use?

Thanks,

Tags (1)
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Splunk 4.3 uses OpenSSL version 0.9.8r (http://docs.splunk.com/Documentation/Splunk/4.3/ReleaseNotes/OpenSSL). OpenSSL implements SSL v2/v3 and TLS v1 (http://www.openssl.org/ ).

View solution in original post

kenshuff
New Member

Is it only necessary to set 'supportSSLV3Only = true' in web.conf if enableSplunkWebSSL is also set to "true"? We do not currently have enableSplunkWebSSL defined so, based on the documentation, it appears enableSplunkWebSSL is "false" by default.

0 Karma

smixsonfujitsu
Engager

In order to completely disable SSLv2 on the Splunk WebUI you must modify two files. Making the change in only the /opt/splunk/etc/system/default/server.conf does not disable SSLv2. You must also make the same 'supportSSLV3Only = true' edit to the /opt/splunk/etc/system/default/web.conf file. We continued to see the SSLv2 vulnerability until we made the change to the server.conf AND web.conf file.

ckurtz
Path Finder

Never make changes to the files in default! Always make changes to the equivalent file in the local space, in this case /opt/splunk/etc/system/server.conf and web.conf. Making changes in default may be overridden when Splunk is upgraded. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Howtoeditaconfigurationfile

ChrisG
Splunk Employee
Splunk Employee

Yes, you can. To disable SSLv2 and tell the HTTP server to only accept connections from SSLv3 clients, set the supportSSLV3Only attribute in server.conf to true. By default, this setting is false. This information comes from Secure Access to your Splunk Server in the Admin Manual.

mikelanghorst
Motivator

Not sure what V3TL1 is. Looking at their OpenSSL's tarball repository, while 0.9.8r is a year old there's only 2 later versions of 0.9.8 available, and a couple 1.0.0 releases.

Are you sure it's OpenSSL versions, rather than supported/allowed cipher suites?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Splunk 4.3 uses OpenSSL version 0.9.8r (http://docs.splunk.com/Documentation/Splunk/4.3/ReleaseNotes/OpenSSL). OpenSSL implements SSL v2/v3 and TLS v1 (http://www.openssl.org/ ).

View solution in original post

kenshuff
New Member

After further discussions it seems that the issue is that the security scan found the deployment port to be using SSL version 2. Is there a way to control what version of SSL is used? Can we make a parameter change to force SSL version 3 to be used? Thanks.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!