Security

SSL anonymous ciphers supported

damucka
Builder

Hello,

We are using the Tenable Infrastructure Vulnerability scanner to scan regularly our complete infrastructure. Tenable reports following findings for the Splunk Server Ports:

https://www.tenable.com/plugins/nessus/31705 SSL Anonymous Cipher Suites Supported

Please find below the plugin output:

The following is a list of SSL anonymous ciphers supported by the remote TCP server :

  High Strength Ciphers (>= 112-bit key)

    Name                          Code             KEX           Auth     Encryption             MAC

    ----------------------        ----------       ---           ----     ---------------------  ---

    AECDH-AES128-SHA              0xC0, 0x18       ECDH          None     AES-CBC(128)           SHA1

    AECDH-AES256-SHA              0xC0, 0x19       ECDH          None     AES-CBC(256)           SHA1

The fields above are :

  {Tenable ciphername}

  {Cipher ID code}

  Kex={key exchange}

  Auth={authentication}

  Encrypt={symmetric encryption method}

  MAC={message authentication code}

  {export flag}

 

Could you please advise how to adjust the SSL Splunk configuration to fix this issue? Can this be fixed by setting certain value to cipherSuite in server.conf?

The above issue is reported for the ports (2)8191 and (2)8089. 

Our server.conf (local) looks as follows:

[kvstore]
port = 28191

[license]
master_uri = https://splunk-license.xxx.corp:443

# Workaround to overcome the connection issues to the license server

[sslConfig]
# To address Vulnerability Scan:
# https://serverfault.com/questions/1034107/how-to-configure-ssl-certificates-for-splunk-on-port-8089
sslVersions = tls1.2
sslVersionsForClient = *,-ssl2
enableSplunkdSSL = true
serverCert = /etc/apache2/splunk.pem

# Workaround to overcome the connection issues to the license server
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

# To address Vulnerability Scan:
# https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/m-p/29...
allowSslCompression = false
useClientSSLCompression = false
useSplunkdClientSSLCompression = false


sslPassword = xxx

[general]
pass4SymmKey = xxx
trustedIP = 127.0.0.1

 

The cipherSuite in server.conf (default) looks as follows:

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

Could you please advice?

Kind regards,

Kamil

Labels (1)
0 Karma
1 Solution

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

View solution in original post

0 Karma

damucka
Builder

The solution is:

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:!aNULL:@STRENGTH

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!