Related Answers
Download topic as PDF
Configure allowed and restricted SSL versions
Splunk Enterprise version 6.2 and later provides the sslVersions keyword to restrict older versions of protocols. SSLv3 is shipped out of box to support easy upgrades but should be disabled as soon as upgrades are complete. By default, Splunk Enterprise allows communications on SSLv3 and all subsequent versions.
When Splunk Enterprise is configured in FIPS mode, SSLv2 and SSLv3 are always disabled regardless of any additional configuration.
CAUTION: To avoid the v3 "POODLE" vulnerability, remove SSLv3 as upgrades are applied to your environment.
Configure web.conf
1. In web.conf, update the sslVersions attribute to list or limit the versions (separated by commas) you want to permit. By defaults this attribute is set to *,-sslv2, which is any version newer than SSLv2 (not recommended). For 6.2 the allowed SSL versions are:
- SSLv2 (not recommended)
- SSLv3 (not recommended)
- TLS1.0 (not recommended)
- TLS1.1
- TLS1.2
For example:
sslVersions = tls1.1, tls1.2
Syntax options
To select all supported versions use "*":
sslVersions = *
To include all versions tls1.0 or newer use "tls":
sslVersions = tls
To restrict a particular version prefix it with "-" :
sslVersions = *, -ssl3
Note: When Splunk Enterprise is configured in FIPS mode, SSLv2 and SSLv3 are always disabled regardless of this configuration.
2. In inputs.conf, update the sslVersions attribute to list or limit the versions (separated by commas) you want Splunk Enterprise to support.
sslVersions = ssl2, tls1.1, tls1.2
You can use "*" to select all supported versions:
sslVersions = *
Simply use "tls" to include all versions tls1.1 or newer:
sslVersions = tls
The prefix a version with "-" to restrict a particular version:
sslVersions = *, -ssl3
3. Configure forwarders to be compatible with your indexer. Changing or limiting the SSL versions (and restricting SSLv3) can create compatibility issues with forwarders, particularly those that run earlier versions of Splunk Enterprise. For forwarders running 6.2 you can mitigate compatibility issues by also updating each forwarder's inputs.conf and web.conf settings in addition to your indexer.
Update any forwarders to 6.2 to be consistent with your indexer and the SSL settings (For purposes of backward compatibility, 6.0 can support up to tls1.1.)
Configure server.conf
Configure your server.conf file to accept connections with clients (for example, web.conf by editing the sslVersions attribute so that it is the same as your client(s).
For example:
[sslConfig] sslVersions = tls1.1, tls1.2
|
PREVIOUS About using SSL tools on Windows and Linux |
NEXT How to prepare your signed certificates for Splunk authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3
Comments
#web.conf
[settings]
sslVersions = <list of ssl versions string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions. The version "tls"
selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When appServerPorts=0 only supported values are "all", "ssl3, tls" and "tls"
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "ssl3, tls". (anything newer than SSLv2)
* NOTE: this setting only takes effect when appServerPorts is set to a non-zero value
#server.conf
[sslConfig]
sslVersions = <versions_list>
#inputs.conf
[SSL]
sslVersions = <versions_list>
I have many inputs.conf files. Are you talking about a specific one?
I'd highly recommend following the advice at this blog instead: https://www.infosecsociety.com/blog/33-hardening-ssl-on-splunk-6
Provides exactly what you need to disable the weak ciphers that Splunk is allowing and not documenting that great.
Good question, yes,if you configure sslVersions for Splunk Web (or any other client) you need to make sure that server.conf is configured to accept those versions as well. I've updated the docs accordingly. Thanks!
Don't we also need to adjust the sslVersions setting in server.conf (in addition to web.conf?)
Hi all,
The < and > brackets are not meant to be typed, they are simply indicators that the information within them are variable examples. I can see how in these particular topic it can look confusing so I have removed them.
Hope that helps!
Jen
I would like to confirm the issue Dwaddle mentions: the <> characters should not be used, this is what tripped up our forwarders. Without them it works flawless.
In the examples above you sometimes use <sslv3> and other times <ssl3> wich one is the right one ?
Also is this kind of setting be deployed via Déploiement server like any other setting ?
Hey there,<br /><br />I am not sure I understand your question. The < > are just meant to indicate that the info inside them is an example and not necessarily to be used literally?
Are we sure that the value for sslVersions needs to be enclosed in < > characters? If we look at the shipped config files in $SPLUNK_HOME/etc/system/default/{server,web}.conf they show values such as<br /><br />../default/server.conf:sslVersions = *,-ssl2<br />../default/web.conf:sslVersions = ssl3, tls<br /><br />Makes me think the examples above need the < and > removed
Just curious, shouldn't all Splunk servers and forwarders be updated with these settings including master cluster, deployment and search heads and not just the indexer servers?