We've recently locked down everything to use TLS 1.2 and I think i've fixed just about everything, however, my deployment server is full of SSL3 handshake errors with the forwarders.
How do I set up the forwarders to use TLS1.2 with my deployment server? I'm confused about which file to modify: server.conf? web.conf? Everything looks fine server side - it's just on the forwarder I need to update.
Here is my server.conf file on my deployment server:
sslKeysfile = key.pem sslKeysfilePassword = xxxxx sslPassword = xxxxxx cipherSuite = TLSv1.2:!eNULL:!aNULL sslVersions = tls1.2,-ssl2, -ssl3 sslVersionsForClient = tls1.2,-ssl2, -ssl3 allowSslCompression = false
Despite having a web.conf in the splunkUniversalForwarder app, that is for port 8000, so for a UF you won't need to worry there.
Did you set sslVersionsForClient on the forwarders themselves? Or only on the DS?
Your DS will be accepting incoming connections form your forwarders. It will enforce ssl version using the sslVersions config.
The forwarder is making outbound calls on 8089 and should be using the sslVersionForClient.
sslVersions = <versions_list> * Comma-separated list of SSL versions to support for incoming connections. * The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2". * The special version "*" selects all supported versions. The version "tls" selects all versions tls1.0 or newer. * If a version is prefixed with "-" it is removed from the list. * SSLv2 is always disabled; "-ssl2" is accepted in the version list but does nothing. * When configured in FIPS mode, ssl3 is always disabled regardless of this configuration. * Defaults to "*,-ssl2" (anything newer than SSLv2). sslVersionsForClient = <versions_list> * Comma-separated list of SSL versions to support for outgoing HTTP connections from splunkd. This includes distributed search, deployment client, etc. * This is usually less critical, since SSL/TLS will always pick the highest version both sides support. However, this can be used to prohibit making connections to remote servers that only support older protocols. * The syntax is the same as the sslVersions setting above * Note that for forwarder connections, there is a separate "sslVersions" setting in outputs.conf. For connections to SAML servers, there is a separate "sslVersions" setting in authentication.conf. * Defaults to "*,-ssl2" (anything newer than SSLv2). supportSSLV3Only = <bool> * DEPRECATED. SSLv2 is now always disabled. The exact set of SSL versions allowed is now configurable via the "sslVersions" setting above.
Maybe push an app for your SSL and cert related stuff to your fwds?
Oh, and be advised, sslVersions came in 6.2, while sslVersionsForClient came in 6.4
I don't believe i've set sslVersionsForClient anywhere on the forwarders, I have barely touched them in years but made many upgrades/changes on my servers (in this case it's 100% set on my DS)
it does seem like I need to set sslVersionsForClient on the the forwarders but where? server.conf? that's the hard part as there are so many conf files. Also my errors logs are clean on the client side so it's difficult narrowing it down
Added these lines to server.conf on my forwarders and that fixed the communication, I think pushing the app would do the same job at scale. Works!
cipherSuite = TLSv1.2:!eNULL:!aNULL
sslVersions = tls1.2,-ssl2, -ssl3
sslVersionsForClient = tls1.2,-ssl2, -ssl3
allowSslCompression = false