Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is splunktcp-ssl + ciphersuite not working to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I want to disable weak ciphers for Splunk forwarder ports on my 6.3.3 indexer.
The following snippet does not work in my inputs.conf. The default ciphers are still enabled:
[splunktcp-ssl:9997]
connection_host = ip
[SSL]
cipherSuite = ALL:!ADH:!aNULL:!eNULL:!EXP:!LOW:+MEDIUM:+HIGH:!SEED:!3DES:!MD5:!RC4:!SRP
#cipherSuite = CAMELLIA256-SHA
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1
Even changing cipherSuite to CAMELLIA256-SHA does nothing:
$ ~/bin/splunk cmd openssl s_client -connect localhost:9997 | grep Cipher
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Cipher : AES256-GCM-SHA384
It is working for the web and management ports (web.conf + server.conf).
According to this question it should work like I did it:
https://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support has informed me that this is a known issue, and should be fixed in 6.3.4.
Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support has informed me that this is a known issue, and should be fixed in 6.3.4.
Dev found the wrong code and fix it;
the code is being reviewed right now
and the fix is included in maintenance
releases (fixed in 6.3.4)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same problem in 6.3.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anybody opened a ticket on this issue? I'm about to, because I'm seeing the same thing. Splunk 6.3.3, and same settings as above. I run the TestSSLServer on port 9997, and I still see:
Supported versions:
TLSv1.2
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.2
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_DES_CBC_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
