Block SSLv2 in SPLUNK

By default, SPLUNK allows SSL v2 for backwards compatibility. For security purposes, it is good practice to disable SSLv2. Other security requirements or standards may also require it be disabled. Among these are PCI and DISA STIG Compliance.

Assuming you have already enabled SSL on SPLUNK, you would edit the $SPLUNK_HOME/etc/system/local/web.conf and add the following line in the SSL settings portion.

supportSSLV3Only = True

This may cause problems with older browsers, but if they are that old they shouldn’t be allowed to connect anyway.

If you do have browsers that use TLSv1 rather than SSL, a work around would be to replace

supportSSLV3Only = True

with

cipherSuite = ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:-EXP:-DES

The latter will allow you to specify which ciphers\protocols you would like to use. The syntax for this is the same as OpenSSL.

Category: 
Share: 

GuardianMS
Guarding your IT Experience!