Security

How to remediate when running testssl.sh against Splunk server reveals vulnerability to "Secure Client-Initiated Renegotiation"?

xavierashe
Contributor

I ran the testssl.sh tool against my Splunk server and it came back saying that I was vulnerable to "Secure Client-Initiated Renegotiation", a DoS threat. I can't find anything on how to remediate this.

Splunk Version 6.5.3
Splunk Build 36937ad027d4
Red Hat Enterprise Linux Server release 6.8 (Santiago)
openssl098e-0.9.8e-20.el6_7.1.x86_64

Here's my web.conf:

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key
serverCert = /opt/splunk/etc/auth/mycerts/splunk.pem
sslVersions = tls1.1, tls1.2
cipherSuite = ALL:!ADH:!NULL:!RC4:!3DES:!ANON
0 Karma
1 Solution

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

View solution in original post

mvillene
Explorer

Hi xavierashe,

Not sure if you got the solution to this or not but you can disable client renegotiation in the web.conf file by using;

allowSslRenegotiation = false

Remember to restart Splunk web;

$SPLUNK_HOME/bin/splunk restart splunkweb

According to the docs, this setting is set to true by default. Testing this now I no longer get the vulnerable message in testssl.sh and my manual testing also shows the same.

MuS
SplunkTrust
SplunkTrust

Hi xavierashe,

Not sure if this is helpful or not, but a quick google check on this testssl.sh script showed a known bug which reports fault positives generated by Secure Client-Initiated Renegotiation https://github.com/drwetter/testssl.sh/issues/234 also another quick google about Secure Client-Initiated Renegotiation itself returned this page https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/ where you can find commands to test if there is a real problem or not.

cheers, MuS

0 Karma

xavierashe
Contributor

Following that second link, I ran the test it suggested and it looks like Secure Renegotiation is supported.

---
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = [REDACTED], CN = [REDACTED]
verify return:1
depth=0 C = US, ST = [REDACTED], L = [REDACTED], O = [REDACTED], CN = [REDACTED]
verify return:1
read:errno=0
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...