So I set out to figure out how much of the advice I could incorporate into Splunk SSL settings. I found that because Splunk uses CherryPy for the web server. That meant disabling server side SSL compression was problematic and I still have not solved that part. We need this to help mitigate the recently covered “Breach” and the old “Crime SSL” attack. Still I was able to adjust things to mitigate Beast and greatly improve the score given by the Qualys tool. Granted there are blog posts out there on setting up apache as the web front end and relaying traffic through to Splunk’s CherryPy. That would give us the controls we need. However, I like to write stuff up for now as Splunk vanilla doing it just with what is available in their install.
We will need to edit the web.conf file for Splunk. We can just take the recommended cipher list from Hyneck’s post. It addresses the Beast attack by eliminating CBC based ciphers from the available list to spunkWeb. We force SSLv3 only. And of course we have SSL enabled on the web interface.
One thing to note is that although we include the better newer ciphers in the list they will do nothing for us until openssl in Splunk is upgraded in a patch to support TLS 1.2. Right now it still only supports TLS 1.0. We put the list in and when the update covers it the newer ciphers should just start working.
Add the following stanza then bounce your Splunk service:
enableSplunkWebSSL = 1
supportSSLV3Only = true
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;