Security

Force TLS 1.1+ for index replication

dyeo
Engager

Our vulnerability scanner keeps hitting on SSLv3 on the port 8080 replication ports of our index cluster. I've added the following to server.conf:

[sslConfig]
sslVersion = tls, -tls1.0

Yet we are still getting hits for SSLv3 on the cluster nodes. Below is the full output of the btool server listing:

[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
sendStrictTransportSecurityHeader = false
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = XXXXXXXXXXX
sslVersions = tls, -tls1.0
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

Labels (1)
Tags (3)
0 Karma

_joe
Communicator

I had a similar issue, the problem is that port replication does NOT necessarily use tls by default (see the spec file).

You need to add this to your inputs.conf app on your indexer:

[replication_port-ssl://8081]
sslVersions = tls1.2

You can also add cipherSuite, serverCert, and sslPassword here.

https://docs.splunk.com/Documentation/Splunk/latest/admin/Serverconf

sslVersions =

  • Comma-separated list of SSL versions to support.

  • The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2".

  • The special version "*" selects all supported versions. The version "tls"
    selects all versions tls1.0 or newer.

  • If a version is prefixed with "-" it is removed from the list.

  • SSLv2 is always disabled; "-ssl2" is accepted in the version list but
    does nothing.

  • When configured in FIPS mode, ssl3 is always disabled regardless
    of this configuration.

  • Default: The default can vary (See the sslVersions setting in
    the $SPLUNK_HOME/etc/system/default/server.conf file for the current default)

0 Karma

koshyk
Super Champion

There are 3 parts to fix the issue

=> Ensure you have Certificate settings in an app (eg . MY_cert_app)
=> Create a TLS client app (MY_tls_client_app). Put the setting like shown in link in inputs.conf . This app will then be deployed in all slaves

[SSL]
sslVersions = tls1.2
cipherSuite = TLSv1.2:!eNULL:!aNULL

=> Create a TLS server app (MY_tls_server_app). This app will then be deployed Cluster Master.
a. Put the setting like shown in link in server.conf .

[sslConfig]
sslVersions = tls1.2
cipherSuite = TLSv1.2:!eNULL:!aNULL
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

b. Put contents in inputs.conf in your CLM

[SSL]
rootCA = $SPLUNK_HOME/etc/apps/MY_cert_app/bin/auth/rootCA.pem
serverCert = $SPLUNK_HOME/etc/apps/MY_cert_app/bin/auth/device.pem
password = my_pass
requireClientCert = false

=> Now create another app for CLM MY_clm_cluster_config like this and put in CLM. in server.conf

[general]
site= site0

#indexer clustering
[clustering]
mode = master 
pass4SymmKey = my_pass
cluster_label = my_idx_cluster1
multisite = true
replication_factor = 2
search_factor = 2
site_replication_factor = origin:1, total:2
site_search_factor = origin:1, total:2
available_sites = site1, site2

[indexer_discovery]
pass4SymmKey = my_pass
polling_rate = 300
0 Karma

_joe
Communicator

@dyeo did this resolve your problem?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...