topic Re: How to remove weak ciphers? in Splunk Search

How to remove weak ciphers?

coreyCLI — Fri, 24 Feb 2023 16:34:39 GMT

I am trying to pair down the list of ciphers we are using. When I remove AES256-GCM-SHA384 I begin to get the below errors on our Search Head Cluster.

02-24-2023 16:17:35.187 +0000 WARN SSLCommon [121742 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv2/v3 read server hello A', alert_description='handshake failure'.

02-24-2023 16:17:35.187 +0000 ERROR TcpOutputFd [121742 TcpOutEloop] - Connection to host=SH_IP_REMOVED:8999 failed. sock_error = 0. SSL Error = error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

In server.conf, web.conf, inputs.conf and outputs.conf I have the below ciphers. Once I remove AES256-GCM-SHA384. The errors begin.

cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

Re: How to remove weak ciphers?

richgalloway — Fri, 24 Feb 2023 18:47:00 GMT

It would seem that cypher is needed by Splunk and so shouldn't be removed from the cipherSuite setting. You may want to submit a support request about this.

Re: How to remove weak ciphers?

yuanliu — Sun, 26 Feb 2023 07:19:46 GMT

When was the last time you updated sslVersions in server.conf, web.conf, inputs.conf and outputs.conf? Rather, why do you need to set cipherSuite locally in the first place? AES256-GCM-SHA384 is perhaps preferred or required for SSLv2/v3. But SSLv2 and SSLv3 have been obsolete for very long. In fact, TLSv1.0 is already deprecated; even TLSv1.1 is deemed inadequate these days. In 9.x, default for sslVersions is 1.2 only.

If you have a good reason to localize cipherSuite, you need to eliminate SSLv2/v3 from sslVersions as well. (I had a weird situation two years ago where my Puppet server was so old it did not support TLS1.1. So, I had to enable TLS1.0 in Splunk knowing it was insecure.) But if you don't have to, just remove sslVersions and cipherSuite from local/ files. default/ in 9.5 is

sslVersions = tls1.2 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1

(Read the corresponding files in default/ directory will help. Also read your version of server.conf, etc.)

Re: How to remove weak ciphers?

coreyCLI — Mon, 27 Feb 2023 13:50:34 GMT

I should have included this in my question but I have the below in server.conf, inputs.conf, outputs.conf and web.conf. I don't have access to the system today but I am not sure where SSLv2/v3 would come from then?

sslVersions = tls1.2 cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384

Also, we are at version 9.0.3

Re: How to remove weak ciphers?

coreyCLI — Tue, 21 Mar 2023 13:24:51 GMT

For anyone interested. My particular issue required me to call out the ecdhCurves specifically.

[replication_port-ssl://8999] cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 ecdhCurves = prime256v1, secp384r1, secp521r1

Everything worked once adding the ecdhCurves.