By default, allow both v2 and v3 connections to the HTTP server

lisaac · ‎08-16-2010

I have to update the local file server.conf to allow only sslv3 on an indexer (4.1.3) due to a recent audit. There are 150+ Windows Splunk agents (4.0.9) reporting to this indexer. Do the Splunk Agents need updated at the same time as the index? I believe the answer is no, but I wanted to verify.

File server.conf [sslConfig]

By default, allow both v2 and v3 connections to the HTTP server

supportSSLV3Only = True

This change should force the remote Splunk agents to only use ssl v3. I was hoping to just make the change on the indexer, restart the indexer, and the agents will re-establish communication using ssl v3.

trross33 · ‎06-15-2011

I am looking for an answer to this question as well. I am assuming our vulnerability assessments are scanning the management port opened by default on all the universal forwarders. I assume they are to blame for the sslv2 vuln assessment finding on all the machines running a universal forwarder.

dwaddle · ‎08-20-2010

Based on the workings of the SSL protocol itself, this should work without changing the agent config at all. Basically, the SSL client (the forwarder) connects, and says "I can use SSL2, SSL3, and TLS 1.0" -- the server (the indexer) is then supposed to respond with the "highest common denominator" -- that is, the highest protocol level supported by both client and server. If you configure the indexer to only allow SSLV3, then they should negotiate to that.

You should be able to verify this is happening using wireshark.

Enabling sslv3 in server.conf with remote Splunk agents

By default, allow both v2 and v3 connections to the HTTP server

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio