Security

Enabling sslv3 in server.conf with remote Splunk agents

lisaac
Path Finder

I have to update the local file server.conf to allow only sslv3 on an indexer (4.1.3) due to a recent audit. There are 150+ Windows Splunk agents (4.0.9) reporting to this indexer. Do the Splunk Agents need updated at the same time as the index? I believe the answer is no, but I wanted to verify.

File server.conf [sslConfig]

By default, allow both v2 and v3 connections to the HTTP server

supportSSLV3Only = True

This change should force the remote Splunk agents to only use ssl v3. I was hoping to just make the change on the indexer, restart the indexer, and the agents will re-establish communication using ssl v3.

Tags (1)

trross33
Path Finder

I am looking for an answer to this question as well. I am assuming our vulnerability assessments are scanning the management port opened by default on all the universal forwarders. I assume they are to blame for the sslv2 vuln assessment finding on all the machines running a universal forwarder.

dwaddle
SplunkTrust
SplunkTrust

Based on the workings of the SSL protocol itself, this should work without changing the agent config at all. Basically, the SSL client (the forwarder) connects, and says "I can use SSL2, SSL3, and TLS 1.0" -- the server (the indexer) is then supposed to respond with the "highest common denominator" -- that is, the highest protocol level supported by both client and server. If you configure the indexer to only allow SSLV3, then they should negotiate to that.

You should be able to verify this is happening using wireshark.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...