Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Are you ready for TLS 1.3 adoption?

hrawat
Splunk Employee
Splunk Employee
a week ago

If you have enabled splunk S2S compression, you can skip reading further. 

compressed = true


TLS 1.3 removed  compression and as a result it will have a huge impact on your deployment if still using following for  compression in tcpout outputs.conf.

useClientSSLCompression=true

 If you adopt TLS 1.3 on indexing/IF trier, then it's possible you are still having legacy/unsupported forwarder versions(6.0 and above). Those forwarders will suddenly flood network traffic due to TLS 1.3 on the indexing tier/IF tier.

I would strongly suggest don't wait and add compressed = true ASAP in outputs.conf even if there are no plans for TLS 1.3 adoption.

You will have following configs,

compressed = true
useClientSSLCompression = true

 

As long as target supports SSL compression, your legacy old forwarder will use useClientSSLCompression. However the moment target indexer/IF adopts TLS 1.3, legacy old forwarder will fallback to compressed.  By doing this, Indexer/IF tier adoption to TLS 1.3 will not result in flooding networks due to sudden uncompressed traffic.


Note:  Currently Splunk do not support TLS 1.3. However it's coming soon.

 

Reply

gjanders
SplunkTrust
SplunkTrust
a week ago

To clarify my understanding, I believe the recommendation is to set in outputs.conf:

compressed = true
useClientSSLCompression = true

As the compressed=true will do no harm on legacy forwarders (I've checked the docs back until 7.0 and this parameter appears to be quite old), and the useClientSSLCompression will still work as expected *until* the indexing or intermediate forwarding tier moves to TLS1.3 in a future Splunk version...at which point the compressed=true will be used automatically by the forwarders (including legacy versions).

I believe there will be no issues with having both set to true on legacy forwarders with the current Splunk releases that still support TLS1.2...

Is that correct?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

hrawat
Splunk Employee
Splunk Employee
a week ago

That's right.

Also you don't have to explicitly set useClientSSLCompression = true as it's true by default.

Ideally you want to set useClientSSLCompression = false due to https://access.redhat.com/security/cve/cve-2012-4929

0 Karma
Reply

terminaloutcome
Path Finder
a week ago

TLS compression  has provided significant benefits for clients in their link loads, so it's important that compression levels are maintained. Can you please explain this line from the "compressed" stanza from outputs.conf? (Mainly the bold part)

A value of "true" means the receiver communicates with the forwarder in
  compressed format for TLS/SSL forwarding if either
  'useClientSSLCompression' has a value of "false" or the TLS/SSL
  connection does not use 'zlib' compression.

I can't find any reference to zlib compression settings, so if/when TLS1.3 comes along it'd be good to be able to understand the implications.

 

Thanks!

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
a week ago

OEM S2S receiver( splunkd )  uses default openssl compression method zlib. TLS compression can be enabled or disabled, but compression method  is not configurable.

https://docs.openssl.org/3.3/man3/COMP_CTX_new/#description

S2S compression also use zlib for compression. If you have both settings set to true, then we want to avoid double zlib compression.

compressed = true
useClientSSLCompression = true

If you turn off TLS compression on OEM receiver (splunkd), forwarder with SSL enabled for s2s communication can be configured compressed=true to compress S2S traffic.

Since both settings are using zlib, so expect compression ratio to be nearly same.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...