I am having issues monitoring wire traffic on port 443 (HTTPS). I am successfully monitoring on port 80 (HTTP), however I am unsure of the additional configurations needed for HTTPS to work properly.
I have installed the Stream app on a deployment server, which has successfully distributed the app to the universal forwarder. The universal forwarder is located on the web server. While parsing the documentation, I'm confused about which configurations to use and where to put them for HTTPS traffic. Has anyone else done this successfully? I haven't been able to find any specific documentation or Splunk answers for this issue. Any advice or direction on which configurations are needed for monitoring HTTPS on port 443 is appreciated.
I've noticed there is no https stream type, is this because it is included in the http one?
I am currently running Splunk 6.4.1 and Stream 6.6.1,Hello,
Thanks for any assistance.
https traffic is encrypted, so in order to be able to see it you need to provide Stream Forwarder with web server's SSL private key. Here's the doc link on how to do it: http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder
There's no https stream type since https is essentially encrypted http.
Thank you for the response. After adding the key to the UF, I am seeing another error on my forwarder. streamfwd.log is outputting this error:
stream.SnifferReactor - SSL decryption error (cipher suite not decryptable) (ssl) [c=18.104.22.168:4158, s=172.29.2.115:443]
The key is in RSA format. I can't seem to find any other additional documentation on this issue.
"cipher suite not decryptable" error you're now encountering is related to the ephemeral encryption, which means that even if you have the server key, you cannot decrypt the session. Hence, you need to disable the ephemeral cipher suites on the http server in order for Stream (or any other SSL decryption-capable network monitor) to be able to decode your traffic.
This is sort of mentioned in the documentation, but it's definitely not explained sufficiently:
By default, some web servers can
negotiate session ciphers that do not
use RSA private keys. These ephemeral
key exchange protocols (such as
Diffie-Hellman) make it impossible for
any passive observer to decrypt the
traffic, and are therefore not
supported by Stream.
To ensure that Stream can intercept
all of your encrypted traffic, you
might need to disable support for
ephemeral ciphers on your web server.
This does not make your web server
less secure, because the web server
uses equally effective alternative
ciphers for the connection
Main reason the doc doesn't specifically list setup instructions there is because different http servers require different config tweaking in order to disable ephemeral encryption. For example, to configure Apache server you need to set the
SSLCipherSuite parameter in httpd.conf to something like
SSLCipherSuite kRSA:!SSLv2:!SSLv3:!eNULL:!NULL or a similar cipher list string. See http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html and https://www-origin.openssl.org/docs/manmaster/apps/ciphers.html for more details.
What http server are you using?
OK, so you should be able to apply the config instructions from my previous response.
Also, you probably want to make sure your web ops/info sec/network security people are cool with this change since different companies have different policies for SSL/TLS settings (for example, allow only strong encryption, etc.)