Solved: What version of SSL does splunkd use?

Mick · ‎02-21-2012

We have Splunk 4.2.3 installed on some Linux hardened servers. Our Security team recently ran some scans and expressed concern regarding SSL on port 8089. After researching we determined that this port is used for Splunk deployment communication.

It seems that their concern is that the SSL version is too low. They would like to see at least version v3TL1.

I'm not very familiar with SSL. Could you tell me what SSL version Splunk uses? Is it possible to upgrade? What version of SSL does 4.3 use?

Thanks,

ChrisG · ‎02-21-2012

Splunk 4.3 uses OpenSSL version 0.9.8r (http://docs.splunk.com/Documentation/Splunk/4.3/ReleaseNotes/OpenSSL). OpenSSL implements SSL v2/v3 and TLS v1 (http://www.openssl.org/ ).

View solution in original post

kenshuff · ‎04-16-2013

Is it only necessary to set 'supportSSLV3Only = true' in web.conf if enableSplunkWebSSL is also set to "true"? We do not currently have enableSplunkWebSSL defined so, based on the documentation, it appears enableSplunkWebSSL is "false" by default.

smixsonfujitsu · ‎04-12-2013

In order to completely disable SSLv2 on the Splunk WebUI you must modify two files. Making the change in only the /opt/splunk/etc/system/default/server.conf does not disable SSLv2. You must also make the same 'supportSSLV3Only = true' edit to the /opt/splunk/etc/system/default/web.conf file. We continued to see the SSLv2 vulnerability until we made the change to the server.conf AND web.conf file.

ckurtz · ‎01-27-2014

Never make changes to the files in default! Always make changes to the equivalent file in the local space, in this case /opt/splunk/etc/system/server.conf and web.conf. Making changes in default may be overridden when Splunk is upgraded. See http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Howtoeditaconfigurationfile

ChrisG · ‎02-24-2012

Yes, you can. To disable SSLv2 and tell the HTTP server to only accept connections from SSLv3 clients, set the supportSSLV3Only attribute in server.conf to true. By default, this setting is false. This information comes from Secure Access to your Splunk Server in the Admin Manual.

mikelanghorst · ‎02-21-2012

Not sure what V3TL1 is. Looking at their OpenSSL's tarball repository, while 0.9.8r is a year old there's only 2 later versions of 0.9.8 available, and a couple 1.0.0 releases.

Are you sure it's OpenSSL versions, rather than supported/allowed cipher suites?

ChrisG · ‎02-21-2012

Splunk 4.3 uses OpenSSL version 0.9.8r (http://docs.splunk.com/Documentation/Splunk/4.3/ReleaseNotes/OpenSSL). OpenSSL implements SSL v2/v3 and TLS v1 (http://www.openssl.org/ ).

kenshuff · ‎02-24-2012

After further discussions it seems that the issue is that the security scan found the deployment port to be using SSL version 2. Is there a way to control what version of SSL is used? Can we make a parameter change to force SSL version 3 to be used? Thanks.

What version of SSL does splunkd use?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM