Solved: Security audit finds ssl v2

ben_leung · ‎07-10-2014

openssl s_client -connect xx.xxx.xx.xx:9998 -ssl2

Added stanzas to indexer: 
path: etc/system/local/web.conf 
supportSSLV3Only = true 
path: etc/system/local/server.conf 
supportSSLV3Only = true

What else do I need to stop the use of SSL version 2?

jtacy · ‎07-10-2014

You can also use supportSSLV3Only in your inputs.conf in the [SSL] stanza. Maybe go ahead and set some more secure ciphers while you're at it, something like:

[SSL] supportSSLV3Only = true cipherSuite = HIGH

However, keep in mind that if you're allowing connections from untrusted networks, you'll probably want to use forwarder to indexer authentication to protect your forwarders from connecting to a rogue indexer. There's pretty good information about how to do this in the About securing data from forwarders section of the documentation but it could add a lot of complexity to your environment. Good luck!

View solution in original post

jtacy · ‎07-10-2014

You can also use supportSSLV3Only in your inputs.conf in the [SSL] stanza. Maybe go ahead and set some more secure ciphers while you're at it, something like:

[SSL] supportSSLV3Only = true cipherSuite = HIGH

However, keep in mind that if you're allowing connections from untrusted networks, you'll probably want to use forwarder to indexer authentication to protect your forwarders from connecting to a rogue indexer. There's pretty good information about how to do this in the About securing data from forwarders section of the documentation but it could add a lot of complexity to your environment. Good luck!

ben_leung · ‎07-10-2014

By the way, there is no handshake established when port 8089 is chosen, but I am trying to disable ssl v2 on a listening port for this indexer.

Security audit finds ssl v2

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!