Archive
Highlighted

What are the default ciphers used for supportSSLV3Only=true

Engager

If I do not specify a cipherSuite entry explicitly what is used?

For example, is it equivalent to 'SSLv3:!aNULL:!eNULL'?

0 Karma
Highlighted

Re: What are the default ciphers used for supportSSLV3Only=true

SplunkTrust
SplunkTrust

Hi ashrafmr,

I did some testing with supportSSLV3Only = true and you need to have at least one cipherSuite set in web.conf. If you remove it splunkweb will not start returning this error:

2014-04-10 10:16:39,534 ERROR   [5346535fe020bd8d0] root:555 - 'cipherSuite'
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py", line 550, in <module>
    run(blocking=True)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py", line 250, in run
    ssl_ciphers = str(global_cfg['cipherSuite'])
KeyError: 'cipherSuite'

In your default web.conf there is a cipherSuite entry like this:

# For the HTTP server, Diable ciphers lower than 128-bit and disallow ciphers that
# don't provide authentication and/or encryption.
# Use 'openssl ciphers -v' to generate a list of supported ciphers
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

You can check for any overlapping .conf settings (I did not have any) with btool like this:

/opt/splunk/bin/splunk cmd btool --debug web list | grep cipher

If you now open up Splunk in your browser, you will see something like this:

Connection Encrypted: High-grade Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)

The message may differ based on your browser (I used Firefox). Based on that the default cipher would be:

AES_128_CBC

On the other hand chrome will display something like this:

TLS 1.0 AES_256_CBC SHA1 RSA

since I did not set any specific cipher in web.conf, it just disables the weak ciphers.

hope this helps ...

cheers, MuS

Highlighted

Re: What are the default ciphers used for supportSSLV3Only=true

SplunkTrust
SplunkTrust

small update, these are the firsts default ciphers used:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA

the list is much longer and can be see with:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers
0 Karma
Highlighted

Re: What are the default ciphers used for supportSSLV3Only=true

Splunk Employee
Splunk Employee

Hi,

just an update to make sure current options are set: v7.3+

https://docs.splunk.com/Documentation/Splunk/latest/Security/Ciphersuites

HTH,

Holger

0 Karma