Getting Data In

Running a vulnerability scan on my CentOS 6 Splunk forwarder, why am I getting "Deprecated SSLv2 and SSLv3 Protocol Detection: port 8089"?

terryjohn
Path Finder

I am running a Centos 6 machine with splunkforwarder-6.2.5 installed. When running a vulnerability scan using OpenVAS, it tells me that usage of SSLv2 and SSLv3 can be detected. The messages are

Deprecated SSLv2 and SSLv3 Protocol Detection: port 8089
  It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

I have edited $SPLUNK_HOME/etc/system/local/inputs.conf

[SSL]
sslVersions = tls

I have also edited $SPLUNK_HOME/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
sslVersions = tls

After restarting the forwarder, another scan showed the same vulnerabilities.

I need to know if these are the right files to change to prevent the splunk forwarder from using any protocol less than TLSv1.0

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

The settings you have chosen are for Splunk Web, not the management port (8089). You need to edit the server.conf.

server.conf

 [sslConfig]
 sslVersions = tls

The documentation is at http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf . The relevant portion is below.

[sslConfig]
* Set SSL for communications on Splunk back-end under this stanza name.
    * NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use web.conf.
* Follow this stanza name with any number of the following attribute/value pairs.  
* If you do not specify an entry for each attribute, Splunk will use the default value.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

The settings you have chosen are for Splunk Web, not the management port (8089). You need to edit the server.conf.

server.conf

 [sslConfig]
 sslVersions = tls

The documentation is at http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf . The relevant portion is below.

[sslConfig]
* Set SSL for communications on Splunk back-end under this stanza name.
    * NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use web.conf.
* Follow this stanza name with any number of the following attribute/value pairs.  
* If you do not specify an entry for each attribute, Splunk will use the default value.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

terryjohn
Path Finder

This fixed it, thanks.

As an aside I realised a quicker way of testing it is to use the openssl connect

 openssl s_client -connect localhost:8089 -ssl2
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...