Hello,
I want to disable weak ciphers for Splunk forwarder ports on my 6.3.3 indexer.
The following snippet does not work in my inputs.conf. The default ciphers are still enabled:
[splunktcp-ssl:9997]
connection_host = ip
[SSL]
cipherSuite = ALL:!ADH:!aNULL:!eNULL:!EXP:!LOW:+MEDIUM:+HIGH:!SEED:!3DES:!MD5:!RC4:!SRP
#cipherSuite = CAMELLIA256-SHA
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1
Even changing cipherSuite to CAMELLIA256-SHA does nothing:
$ ~/bin/splunk cmd openssl s_client -connect localhost:9997 | grep Cipher
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Cipher : AES256-GCM-SHA384
It is working for the web and management ports (web.conf + server.conf).
According to this question it should work like I did it:
https://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.html
Support has informed me that this is a known issue, and should be fixed in 6.3.4.
Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)
Support has informed me that this is a known issue, and should be fixed in 6.3.4.
Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)
I am facing the same problem in 6.3.3
Has anybody opened a ticket on this issue? I'm about to, because I'm seeing the same thing. Splunk 6.3.3, and same settings as above. I run the TestSSLServer on port 9997, and I still see:
Supported versions:
TLSv1.2
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.2
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_DES_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384