Splunk – SSL Settings for Web Interface

I was pointed at a great blog post on Hardening SSL Settings by Hyneck Schlawack to mitigate a number of attacks against SSL and then to evaluate it against the Qualys SSL Labs.

So I set out to figure out how much of the advice I could incorporate into Splunk SSL settings. I found that because Splunk uses CherryPy for the web server. That meant disabling server side SSL compression was problematic and I still have not solved that part. We need this to help mitigate the recently covered “Breach” and the old “Crime SSL” attack. Still I was able to adjust things to mitigate Beast and greatly improve the score given by the Qualys tool. Granted there are blog posts out there on setting up apache as the web front end and relaying traffic through to Splunk’s CherryPy. That would give us the controls we need. However, I like to write stuff up for now as Splunk vanilla doing it just with what is available in their install.

We will need to edit the web.conf file for Splunk. We can just take the recommended cipher list from Hyneck’s post. It addresses the Beast attack by eliminating CBC based ciphers from the available list to spunkWeb. We force SSLv3 only. And of course we have SSL enabled on the web interface.

One thing to note is that although we include the better newer ciphers in the list they will do nothing for us until openssl in Splunk is upgraded in a patch to support TLS 1.2. Right now it still only supports TLS 1.0. We put the list in and when the update covers it the newer ciphers should just start working.

Add the following stanza then bounce your Splunk service:

[settings]
enableSplunkWebSSL = 1
supportSSLV3Only = true
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;

Share

2 Replies to “Splunk – SSL Settings for Web Interface”

  1. “supportSSLV3Only = true”

    Huh? I am confused. Why would you enable SSL 3.0?

    Splunk has been pretty clear they consider CRIME attack a client issue and not something that can be mitigated with CherryPy/Splunkweb http://answers.splunk.com/answers/65218/splunk-shows-vulnerable-to-cve-2012-4929-in-my-nessus-vulnerability-scan-what-is-going-on.html

    But either way, I don’t think enabling SSL 3 is the right answer. Unless I am missing something?

    https://www.openssl.org/~bodo/ssl-poodle.pdf

  2. Note the date of the post. OLD. Resolved higher risk issues at the time. Look at newer posts and information since Poodle and Splunk 6.2 release.

Comments are closed.