Getting Data In

Why is splunktcp-ssl + ciphersuite not working to disable weak ciphers for Splunk forwarder ports on my Splunk 6.3.3 indexer?

Unister
Explorer

Hello,

I want to disable weak ciphers for Splunk forwarder ports on my 6.3.3 indexer.
The following snippet does not work in my inputs.conf. The default ciphers are still enabled:

[splunktcp-ssl:9997]
connection_host = ip

[SSL]
cipherSuite = ALL:!ADH:!aNULL:!eNULL:!EXP:!LOW:+MEDIUM:+HIGH:!SEED:!3DES:!MD5:!RC4:!SRP
#cipherSuite = CAMELLIA256-SHA
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1

Even changing cipherSuite to CAMELLIA256-SHA does nothing:

$ ~/bin/splunk cmd openssl s_client -connect localhost:9997 | grep Cipher
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Cipher    : AES256-GCM-SHA384

It is working for the web and management ports (web.conf + server.conf).

According to this question it should work like I did it:
https://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.html

0 Karma
1 Solution

dbray_sd
Path Finder

Support has informed me that this is a known issue, and should be fixed in 6.3.4.

Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)

View solution in original post

dbray_sd
Path Finder

Support has informed me that this is a known issue, and should be fixed in 6.3.4.

Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)

pete42
New Member

I am facing the same problem in 6.3.3

0 Karma

dbray_sd
Path Finder

Has anybody opened a ticket on this issue? I'm about to, because I'm seeing the same thing. Splunk 6.3.3, and same settings as above. I run the TestSSLServer on port 9997, and I still see:

Supported versions:
TLSv1.2
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.2
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_DES_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...