Tags

, , , ,

SSL Doom’d

With poodle SSL protocol pretty much dead, many of the commercial websites already turned off SSL protocol support or in the process of deprecating them. What is the story with Splunk, that predominantly leverage SSL/TLS protocol for its communications. Yes, Splunk has introduced an option in Splunk 6.2(other versions also will be supporting this, check with Splunk support for the availability) to disable the SSL protocol so customers can choose to disable the SSLv3,SSLv2 communications.

How to Disable SSL for Splunkd (for Indexer/Forwarder)

In order to disable SSL protocol, you need to set the following property in your  SPLUNK_HOME/etc/system/local/server.conf

[sslConfig]
sslVersions = *,-ssl2,-ssl3
cipherSuite = TLSv1.2:!eNULL:!aNULL

After setting this property you need to restart your splunk forwarder/indexer, After restart your splunkd will accept only TLS connections. You can verify this in the following manner.

An entry in the splunkd.log

11-06-2014 11:40:14.318 -0800 INFO loader - Server supporting SSL versions TLS1.0,TLS1.1,TLS1.2
 11-06-2014 11:40:14.318 -0800 INFO loader - Using cipher suite TLSv1.2:!eNULL:!aNULL

note there is no SSL protocol support.

How to do a runtime validation if you don’t trust the log entries. Here is how ti can be accomplished.

openssl s_client -connect localhost:1901 -ssl3
CONNECTED(00000003)
140089763423912:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1292:SSL alert number 40
140089763423912:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:615:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv3
 Cipher : 0000
 Session-ID: 
 Session-ID-ctx: 
 Master-Key: 
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1415303037
 Timeout : 7200 (sec)
 Verify return code: 0 (ok)
---

A SSLv2 connection also fails as expected

openssl s_client -connect localhost:1901 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv2
 Cipher : 0000
 Session-ID: 
 Session-ID-ctx: 
 Master-Key: 
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1415303140
 Timeout : 300 (sec)
 Verify return code: 0 (ok)
--

Where as a TLS connection goes through successfully.(ignore the CA cert validation, you get the point.:-)

openssl s_client -connect localhost:1901 -tls1_2
CONNECTED(00000003)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
 i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
 1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
 i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICLTCCAZYCCQDPc+vw483gJTANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDzANBgNVBAoT
BlNwbHVuazEXMBUGA1UEAxMOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNDA5MjcwNjMzMjNaFw0xNzA5MjYwNjMz
MjNaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
DApTcGx1bmtVc2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNWcEbfS9/
j8ZxQRBHXCiYY2DdEhgQiw97nl6tjNOZ8k2Ma+TPEbyfA8WI8wBItE1G7YlkqhVL
I6b2njCEB2qmpQp8TgxVNsDw8y9as9oBFFCeT7SllvFzZu7upmaz9/z28imgOrvF
+4VVRReiWfSpqKO40lDM/NE+EUDWx7UkDwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
AGzUp/NR7dslJnwSUMs3PSnjFwf41iSgI8YOpoFaexB+gEhDeNGx8xP64/E/PF6C
qok9JTAlm2XOx3ekZbEKvSZjDrWy7wzZFWO/e77n2XVQVAQzo7gIy9cz8PVG3alO
FnlP3W3QdHBpLzdeYPVNxW8PkjBK46kPsEp8aFkwtizI
-----END CERTIFICATE-----
subject=/CN=SplunkServerDefaultCert/O=SplunkUser
issuer=/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
No client certificate CA names sent
---
SSL handshake has read 1519 bytes and written 504 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
 Protocol : TLSv1.2
 Cipher : AES256-GCM-SHA384
 Session-ID: 1F1A78A0D2F412C2F7002178A8B0AFDD31237514AF7DCF5B0CE55445BC3E168B
 Session-ID-ctx: 
 Master-Key: F2C642674101E18263745A5C0D0D099C38034EAC49FD98A85C8224F498BB9802A5C432D6F31F318B0AB2014D42B49E2E
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 300 (seconds)
 TLS session ticket:
 0000 - 13 1d 01 c2 f0 ab 4a 7a-3b f2 cd 87 31 7f 18 93 ......Jz;...1...
 0010 - 82 f7 65 6a 5e 90 4b 7d-c2 4d 72 8d e8 72 23 77 ..ej^.K}.Mr..r#w
 0020 - 91 ca b0 65 f7 a9 46 6c-f0 26 5b 30 ea bd b3 55 ...e..Fl.&[0...U
 0030 - 7a 84 51 ae 39 3e bd d6-c8 03 b9 6c 10 d8 22 8e z.Q.9>.....l..".
 0040 - 45 f5 f0 b1 e6 b6 80 f4-d8 66 8b 04 e3 6a ff 2f E........f...j./
 0050 - cd 49 92 4f 2e 53 f9 82-90 33 03 a4 31 2a 6c 99 .I.O.S...3..1*l.
 0060 - 05 3b 74 6c cd e3 da c7-6c 66 61 d0 80 2a 36 9e .;tl....lfa..*6.
 0070 - db d0 ac 19 f4 ee d1 be-8b 9b e0 d8 bd eb 9f c5 ................
 0080 - 1b ca 8d 9b d3 43 2e 7a-72 d4 c1 1d e6 0c 05 81 .....C.zr.......
 0090 - ec 9b 00 0b bd 0b 6e 89-e4 7c 28 54 1d 90 e9 5f ......n..|(T..._
Compression: 1 (zlib compression)
Start Time: 1415303356
 Timeout : 7200 (sec)
 Verify return code: 19 (self signed certificate in certificate chain)

Ok ,that is for the splunkd communication over TLS, what about Splunkweb? We need to modify the web.conf to make that happen. BTW, the entry

cipherSuite = TLSv1.2:!eNULL:!aNULL

ensures the cipher suite selected for establishing TLS session is the highest secure one. You can default it by commenting this line.

How To Disable SSL for Splunkweb

Similar to the splunkd it is straight forward for splunkweb as well except you need to modify the SPLUNK_HOME/etc/system/local/web.conf file with following content

[settings]
httpport = 1900
mgmtHostPort = 127.0.0.1:1901
sslVersions = *,-ssl2,-ssl3
enableSplunkWebSSL = true
cipherSuite = TLSv1.2:!eNULL:!aNULL

After restarting the splunkweb, you can verify the connection to splunkweb is not supporting SSL protocol.

Forcing SSLv2 connection fails

openssl s_client -connect localhost:1900 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv2
 Cipher : 0000
 Session-ID: 
 Session-ID-ctx: 
 Master-Key: 
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1415312416
 Timeout : 300 (sec)
 Verify return code: 0 (ok)
---

 

FORCING SSLv3 CONNECTION FAILS

 

 openssl s_client -connect localhost:1900 -ssl3
CONNECTED(00000003)
140287750391464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1292:SSL alert number 40
140287750391464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:615:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv3
 Cipher : 0000
 Session-ID: 
 Session-ID-ctx: 
 Master-Key: 
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1415312551
 Timeout : 7200 (sec)
 Verify return code: 0 (ok)
---

Forcing to make TLS1.1 connection – should fail

openssl s_client -connect localhost:1900 -tls1_1
CONNECTED(00000003)
139639458277032:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1292:SSL alert number 40
139639458277032:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:615:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : TLSv1.1
 Cipher : 0000
 Session-ID: 
 Session-ID-ctx: 
 Master-Key: 
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1415312590
 Timeout : 7200 (sec)
 Verify return code: 0 (ok)
---

This should fail because of the following entry in web.conf

cipherSuite = TLSv1.2:!eNULL:!aNULL

if you comment this, you can make TLS1.x connection but not SSL connection

Here is the test for verifying TLS1.2 connection

openssl s_client -connect localhost:1900 -tls1_2
CONNECTED(00000003)
depth=0 CN = qa-mytest-01.sv.splunk.com, O = SplunkUser
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = qa-mytest-01.sv.splunk.com, O = SplunkUser
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = qa-mytest-01.sv.splunk.com, O = SplunkUser
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=qa-mytest-01.sv.splunk.com/O=SplunkUser
 i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICMTCCAZoCCQDPc+vw483gJjANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDzANBgNVBAoT
BlNwbHVuazEXMBUGA1UEAxMOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNDA5MjcwNjMzMjRaFw0xNzA5MjYwNjMz
MjRaMDsxJDAiBgNVBAMMG3FhLXN5c3Rlc3QtMDEuc3Yuc3BsdW5rLmNvbTETMBEG
A1UECgwKU3BsdW5rVXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvDSQ
C28QErqvX7ff+SCCkkKVGAS6xQohusmNZGhFIkSVul+ZGU9LYQMRRF4vA2c196rm
jd3Qt/NzNOE0DKojqb65+Nw1u9GGPF8/A1SHsXoF0nTt3xe1RDmL8MT12ByhL7lc
1yILGBwS6h7GMT7yUl9JcnYpU12qCd2LduhF0f0CAwEAATANBgkqhkiG9w0BAQUF
AAOBgQCAT/RCo+vKB/qWwPP2M6NsmqnOdrwoeNUv53QYYMU8wquv+RzlwuJw4isb
1J5hjZFAlrLLSQfzd2Eqlh8x1yrw2kArt589wCuA9rd5xeuSK7Vd9u76t2w4cXjq
ZHEzhKkbB2Wbzdy613lUdK+6sWWYSwPQlXls/Ostu0zGXD96mg==
-----END CERTIFICATE-----
subject=/CN=qa-mytest-01.sv.splunk.com/O=SplunkUser
issuer=/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
No client certificate CA names sent
---
SSL handshake has read 878 bytes and written 496 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : TLSv1.2
 Cipher : AES256-GCM-SHA384
 Session-ID: 8C9B759F7C19FD07EB745E028D24CE333A1122BAD943AE8761422AA9FB5E8A97
 Session-ID-ctx: 
 Master-Key: F0B7AC07E8CA1D728E7C196792A2C5B524F49650ABA4C2397C17B7F5CCD1B018DD6326D64407082EF67F19AABD2AE5E4
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 300 (seconds)
 TLS session ticket:
 0000 - d1 4a 07 15 81 60 46 eb-00 1e 60 9d 0b 72 84 43 .J...`F...`..r.C
 0010 - 84 75 c1 ce ff 0c cf 48-e3 07 4d c3 8d a6 48 e0 .u.....H..M...H.
 0020 - 52 ce a0 98 86 61 73 83-84 eb 21 47 cd fe 86 e4 R....as...!G....
 0030 - 26 1c c0 c8 9b 04 9e a6-63 64 4e f6 27 ad cf 38 &.......cdN.'..8
 0040 - 74 b1 9d a5 c7 84 fd e8-0b bc 6a 33 d4 dc 29 34 t.........j3..)4
 0050 - d0 6c 7b 00 b5 41 d6 5b-ff b0 62 9e 32 2d a7 02 .l{..A.[..b.2-..
 0060 - fd 84 ed f0 f6 6d 4d 36-11 ca 9e 30 61 f3 d1 57 .....mM6...0a..W
 0070 - 67 34 e6 e3 09 96 f6 ae-7e f6 c0 91 21 b1 b0 09 g4......~...!...
 0080 - 31 3e ad db 08 90 5f 02-ba 9d b2 cc 05 5a 6b aa 1>...._......Zk.
 0090 - 73 52 e9 df c9 90 bf 6c-d4 01 c8 3f c7 be f1 d0 sR.....l...?....
Start Time: 1415312760
 Timeout : 7200 (sec)
 Verify return code: 21 (unable to verify the first certificate)
---

 

 

Advertisements