Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Configure allowed and restricted SSL versions

Splunk Enterprise version 6.2 and later provides the sslVersions keyword to restrict older versions of protocols. SSLv3 is shipped out of box to support easy upgrades but should be disabled as soon as upgrades are complete. By default, Splunk Enterprise allows communications on SSLv3 and all subsequent versions.

When Splunk Enterprise is secured with FIPS, SSLv2 and SSLv3 are always disabled regardless of any additional configuration.

CAUTION: To avoid the v3 "POODLE" vulnerability, remove SSLv3 as upgrades are applied to your environment.

Configure web.conf

1. In web.conf, update the sslVersions attribute to list or limit the versions (separated by commas) you want to permit. By defaults this attribute is set to *,-sslv2, which is any version newer than SSLv2 (not recommended). For 6.2 the allowed SSL versions are:

  • SSLv2 (not recommended)
  • SSLv3 (not recommended)
  • TLS1.0 (not recommended)
  • TLS1.1
  • TLS1.2

For example:

sslVersions = tls1.1, tls1.2

Syntax options

To select all supported versions use "*":

sslVersions = *

To include all versions tls1.0 or newer use "tls":

sslVersions = tls

To restrict a particular version prefix it with "-" :

sslVersions = *, -ssl3

Note: When Splunk Enterprise is configured in FIPS mode, SSLv2 and SSLv3 are always disabled regardless of this configuration.

2. In inputs.conf, update the sslVersions attribute to list or limit the versions (separated by commas) you want Splunk Enterprise to support.

sslVersions = ssl2, tls1.1, tls1.2

You can use "*" to select all supported versions:

sslVersions = *

Simply use "tls" to include all versions tls1.1 or newer:

sslVersions = tls

The prefix a version with "-" to restrict a particular version:

sslVersions = *, -ssl3

3. Configure forwarders to be compatible with your indexer. Changing or limiting the SSL versions (and restricting SSLv3) can create compatibility issues with forwarders, particularly those that run earlier versions of Splunk Enterprise. For forwarders running 6.2 you can mitigate compatibility issues by also updating each forwarder's inputs.conf and web.conf settings in addition to your indexer.

Update any forwarders to 6.2 to be consistent with your indexer and the SSL settings (For purposes of backward compatibility, 6.0 can support up to tls1.1.)

Configure server.conf

Configure your server.conf file to accept connections with clients. In other words, you would configure web.conf by editing the sslVersions attribute so that it is the same as your the version configured in your server.conf file for you client(s).

For example:

sslVersions = tls1.1, tls1.2

Caveats to configuring splunkd with server.conf

If you have configured Splunk Enterprise deployment clients with SSL, confirm that you also configure Splunk Enterprise deployment servers to listen over SSL. If you do not, then deployment clients cannot connect to those servers, even if you have correctly configured certificates and TLS properly. To ensure that deployment clients can connect to deployment servers, review the server.conf configuration file on the deployment servers and confirm that it has at least the following setting:

enableSplunkdSSL = true
Last modified on 28 January, 2020
About using SSL tools on Windows and Linux
About creating certificates for Splunk

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters