Getting Data In

How can you encrypt Indexers to use a specific SSL protocol over ports ex..9997, 9998)

Splunk Employee
Splunk Employee

This post is to help others who may have difficulties encrypting their indexers(data) to only respond to highest SSL protocols via specific ports.

A customer I was working with wanted to configure her Indexers to only accept handshakes(SSL communication) from Tls1.2 in light of the POODLE incident.

Basically we were trying to make sure that their forwarders would only transmit data via TLS1.2.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Splunk encryption works in two ways. There is the server encryption that is done through the management port(default 8089) and the port specific or data inputs encryption that is more specific to ports(default 9997) being utilized to transmit data. From my understanding of the server specific settings, it relates more-so towards Master-Slave relations(i.e. configurations & apps). The ports specific encryption is transmitting any sort of data from one server to another(doesn't have to be a Splunk component).

1) Ensure both servers have the same capabilities in terms of communicating via higher Ciphers.

To see which ciphers are available to you:
$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

Cipher suites are available to you based on your version of OpenSSL. To see which version of OpenSSL you are running:
$SPLUNK_HOME/bin/splunk cmd openssl version

2) Since we were trouble shooting a communication issue from Forwarders to Indexers, this case was more in relation to data transmission, specifically for port 9997. So we did this:

On Indexer Inputs.conf:

[SSL]
sslVersions = tls1.2
rootCA =
serverCert =
password =

That's it!!! The above stanza basically says, "only accept inputs of any data(or connections) from servers using tls1.2 encryption". The other thing that I want to add is that splunk works on a server-determined relationship, so basically whatever server is acting as the "server(accepting connection)", as opposed to the client(seeking connection), will determine the cipher being used during connection.

To test that this is working use this: openssl s_client -connect ipaddress or URI:port -cipher

so example---> openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_2

By default SSL2 is already disabled on splunk, so you would need to test using ssl3, tls1.0 or tls1.1
ex...
openssl s_client -connect splunker.jts.splunk.com:9997 -ssl3
openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_o
openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_1

I haven't tested using one cipher on one port and using another on a different port yet. Once I do, I will be sure to add here. The basic use case for this is, if you have a client that does not have a certain cipher capability but still needs to communicate to splunk. Ideally it would best if the client upgrade to the higher cipher but ehhh...

I hope this helps someone!

View solution in original post

Splunk Employee
Splunk Employee

Splunk encryption works in two ways. There is the server encryption that is done through the management port(default 8089) and the port specific or data inputs encryption that is more specific to ports(default 9997) being utilized to transmit data. From my understanding of the server specific settings, it relates more-so towards Master-Slave relations(i.e. configurations & apps). The ports specific encryption is transmitting any sort of data from one server to another(doesn't have to be a Splunk component).

1) Ensure both servers have the same capabilities in terms of communicating via higher Ciphers.

To see which ciphers are available to you:
$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

Cipher suites are available to you based on your version of OpenSSL. To see which version of OpenSSL you are running:
$SPLUNK_HOME/bin/splunk cmd openssl version

2) Since we were trouble shooting a communication issue from Forwarders to Indexers, this case was more in relation to data transmission, specifically for port 9997. So we did this:

On Indexer Inputs.conf:

[SSL]
sslVersions = tls1.2
rootCA =
serverCert =
password =

That's it!!! The above stanza basically says, "only accept inputs of any data(or connections) from servers using tls1.2 encryption". The other thing that I want to add is that splunk works on a server-determined relationship, so basically whatever server is acting as the "server(accepting connection)", as opposed to the client(seeking connection), will determine the cipher being used during connection.

To test that this is working use this: openssl s_client -connect ipaddress or URI:port -cipher

so example---> openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_2

By default SSL2 is already disabled on splunk, so you would need to test using ssl3, tls1.0 or tls1.1
ex...
openssl s_client -connect splunker.jts.splunk.com:9997 -ssl3
openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_o
openssl s_client -connect splunker.jts.splunk.com:9997 -tls1_1

I haven't tested using one cipher on one port and using another on a different port yet. Once I do, I will be sure to add here. The basic use case for this is, if you have a client that does not have a certain cipher capability but still needs to communicate to splunk. Ideally it would best if the client upgrade to the higher cipher but ehhh...

I hope this helps someone!

View solution in original post