topic cipherSuite in various .conf files in Security

cipherSuite in various .conf files

lcshared — Fri, 02 May 2014 11:49:04 GMT

Hi,

we know about the cipherSuite option to set and configure the SSL cipher to be used. But since it can be set in various places it is not completely clear which config has what effect for an universal forwarder or an indexer in regards of the management port, web port and receiving port.

Regards

Re: cipherSuite in various .conf files

MuS — Fri, 02 May 2014 11:53:50 GMT

Hi,

as you already know the cipherSuite option can be set in server.conf, web.conf and inputs.conf. Now each cipherSuite in each .conf file has a different effect. After some testing I will share my results.

All test were done on a default Splunk setup using a indexer and one universal forwarder. First lets get the SSL ciphers used by Splunk's openSSL, like this:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

So we see Splunk uses as first SSL cipher AES256-GCM-SHA384. Okay lets verify this...

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher

depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Bingo, we get back AES256-GCM-SHA384 as used SSL cipher.

Now we change the used SSL cipher for the Splunk management port 8089, therefore I changed the cipherSuite in server.conf on the indexer to cipherSuite=CAMELLIA256-SHA restarted Splunk and did the above test again.

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect myIDX:8089 | grep Cipher
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA

So I changed the SSL cipher successfully.

I did more testing on web.conf and inputs.conf and here is effects those changes had:

universal forwarder

inputs.conf: has no effect
web.conf: has no effect as well (which is no surprise at all 😉 )
server.conf: changes the SSL cipher used on the Splunks default management port 8089

indexer

inputs.conf: changes the SSL cipher used on the Splunks splunk-to-splunk default receiving port 9997
web.conf: changes the SSL cipher used on the Splunks default web port 8000
server.conf: changes the SSL cipher used on the Splunks default management port 8089

One result of this tests is that one is able to change/define the cipherSuite used on accepting a SSL connection, but I was unable to set/change the SSL cipher used to open a connection.

hope this helps ...

cheers, MuS

Re: cipherSuite in various .conf files

Lucas_K — Mon, 11 May 2015 05:59:01 GMT

A year late to the party but ... no way was found to control outbound cipher selection?

Re: cipherSuite in various .conf files

MuS — Mon, 02 Nov 2015 22:18:31 GMT

Better late, than never 😉 There is an option in outputs.conf but the docs are a bit confusing:

sslCipher = <string>
* If set, uses the specified cipher string for the input processors.

Re: cipherSuite in various .conf files

Graham_Hanningt — Fri, 17 Jun 2016 06:23:26 GMT

Even later to the party, and arriving with nothing more to offer than the bleeding obvious: the SSL stanza in inputs.conf changes the SSL cipher used for TCP inputs defined in tcp-ssl stanzas in inputs.conf.

For example, using the OpenSSL (0.9.8zb) s_client command to send a JSON-formatted event to a Splunk tcp-ssl input, without explicitly specifying cipherSuite in the SSL stanza, the connection used AES256-SHA. Specifying the following in the SSL stanza:

cipherSuite = DES-CBC3-SHA

caused the connection to use that cipher suite instead.

Re: cipherSuite in various .conf files

mhigginson — Tue, 12 Jun 2018 19:47:50 GMT

It also appears that the server.conf cipherSuite controls HTTP (HEC) inputs as well.

Re: cipherSuite in various .conf files

MuS — Thu, 14 Jun 2018 07:35:37 GMT

Just remember you commented on a post from 2014, where things like HEC were devils black witchery 😉

cheers, MuS

Re: cipherSuite in various .conf files

GVanhees — Wed, 20 Jun 2018 06:22:17 GMT

After an upgrade to 7.0.4 my search-head did not connect to the older version deployment server (6.4) because it stated "handshake failure" in splunkd.log after restarting.

I did try a lot of different things, but only after adding: cipherSuite = AES256-GCM-SHA384 to the web.conf, the search-head's outbound connection to the deployment server was successful.

It therefore seems that the web.conf configuration controls the outbound connection to the deployment server.

Re: cipherSuite in various .conf files

jnichols914 — Wed, 21 Jul 2021 15:55:27 GMT

Thank you for this post. We had an issue with the ciphers occur and didn't have this in-depth knowledge of how all the configuration files worked. This will help us in the future with upgrades.