Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure SSL versions

The following versions of Splunk Enterprise provide the sslVersions attribute, which lets you restrict older versions of protocols:

  • 5.0.11
  • 6.0.7
  • 6.1.5
  • 6.2

This topic discusses how to configure SSL versions for 5.0.11, 6.0.7, and 6.1.5. For information about 6.2, see Configure allowed and restricted SSL versions.

SSLv3 is shipped out of box to support easy upgrades but should be disabled as soon as upgrades are complete. By default, Splunk Enterprise allows communications on SSLv3 and all subsequent versions. If you are running your indexer and forwarders on any other version than the versions that support sslVersions, you should upgrade in order to take advantage of this attribute.

Splunk Enterprise and SSL Version compatibility

We recommend that you update all forwarders and indexers to take the best advantage of versioning compatibility. If you do run multiple versions of Splunk Enterprise on forwarders and indexers we recommend that you leave SSLv3 enabled until you are able to upgrade all of your components.


Configure your SSL versions

1. In inputs.conf and server.conf update the sslVersions attribute to list or limit the versions (separated by commas) you want Splunk Enterprise to support. By default, 6.1.5 is set to accept anything newer than SSLv2 (not recommended). For 6.1.5 and 6.0.7 the allowed SSL versions are:

  • "ssl2"
  • "ssl3"
  • "tls1.0"
  • "tls1.1"
  • "tls1.2"

For 5.0.11 the allowed SSL versions are:

  • "ssl2"
  • "ssl3"
  • "tls1.0"

For example:

sslVersions = <tls1.0, tls1.1, tls1.2>

Syntax options

To select all supported versions use "*":

sslVersions = <*>

To include all versions tls1.0 or newer use "tls":

sslVersions = <tls>

To restrict a particular version prefix it with "-" :

sslVersions = <*, -ssl3>

2. In web.conf edit the sslVersions attribute:

In web.conf, update the sslVersions attribute to list or limit the versions (separated by commas) you want Splunk Enterprise to support. The defaults setting is "ssl3, tls". For 6.1.5 the accepted SSL versions are:

  • "all" - Allows all SSL versions (not recommended).
  • "ssl3, tls" - Allows SSL versions newer than SSLv2 (not recommended).
  • "tls" - Allows SSL tls1.0 and newer (recommended).

For example:

sslVersions = tls

Note: When Splunk Enterprise is configured in FIPS mode, SSLv2 and SSLv3 are always disabled regardless of this configuration.

3. In web.conf edit appServerPorts to provide a port:

appServerPorts = <one or more port numbers>

This is the port number(s) for the python-based application server to listen on.

4. Configure all forwarders to be compatible with your indexer. Changing or limiting the SSL versions (and restricting SSLV3) can create compatibility issues with forwarders, particularly those that run earlier versions of Splunk Enterprise.

Update any forwarders to be consistent with your indexer so that you can mitigate compatibility issues by also updating each forwarder's inputs.conf, server.conf, and web.conf settings in addition to your indexer. (For purposes of backward compatibility, 6.0 can support up to TLS 1.0.)

PREVIOUS
About using SSL tools on Windows and Linux
  NEXT
How to prepare your signed certificates for Splunk authentication

This documentation applies to the following versions of Splunk® Enterprise: 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters