If I do not specify a cipherSuite entry explicitly what is used?
For example, is it equivalent to 'SSLv3:!aNULL:!eNULL'?
Hi,
just an update to make sure current options are set: v7.3+
https://docs.splunk.com/Documentation/Splunk/latest/Security/Ciphersuites
HTH,
Holger
Hi ashrafmr,
I did some testing with supportSSLV3Only = true
and you need to have at least one cipherSuite set in web.conf. If you remove it splunkweb
will not start returning this error:
2014-04-10 10:16:39,534 ERROR [5346535fe020bd8d0] root:555 - 'cipherSuite'
Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py", line 550, in <module>
run(blocking=True)
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py", line 250, in run
ssl_ciphers = str(global_cfg['cipherSuite'])
KeyError: 'cipherSuite'
In your default web.conf
there is a cipherSuite entry like this:
# For the HTTP server, Diable ciphers lower than 128-bit and disallow ciphers that
# don't provide authentication and/or encryption.
# Use 'openssl ciphers -v' to generate a list of supported ciphers
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
You can check for any overlapping .conf
settings (I did not have any) with btool like this:
/opt/splunk/bin/splunk cmd btool --debug web list | grep cipher
If you now open up Splunk in your browser, you will see something like this:
Connection Encrypted: High-grade Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)
The message may differ based on your browser (I used Firefox). Based on that the default cipher would be:
AES_128_CBC
On the other hand chrome will display something like this:
TLS 1.0 AES_256_CBC SHA1 RSA
since I did not set any specific cipher in web.conf
, it just disables the weak ciphers.
hope this helps ...
cheers, MuS
small update, these are the firsts default ciphers used:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA
the list is much longer and can be see with:
$SPLUNK_HOME/bin/splunk cmd openssl ciphers